Method and system for secure computational outsourcing and disguise

ABSTRACT

A method and system for secure computational outsourcing and disguise. According to an embodiment, a first set of actual arguments and a second set of actual arguments for an outsourced computation are determined. A first group of disguised arguments corresponding to the first set of actual arguments is prepared with a first computer. A second group of disguised arguments corresponding to the second set of actual arguments is prepared with a second computer. The first and second groups of disguised arguments are output from the first and second computers, respectively, for performance of the outsourced computation. A third computer performs the outsourced computation and returns a disguised result to the first and/or second computers. The first and/or second computers then unveil the actual result from the disguised result.

RELATED APPLICATIONS

[0001] This application: (i) claims the benefit of U.S. ProvisionalApplication Serial No. 60/276,598, filed Mar. 16, 2001; (ii) is acontinuation-in-part of U.S. application Ser. No. 09/312,230, filed May14, 1999, which claims the benefit of U.S. Provisional ApplicationSerial No. 60/085,515, filed May 14, 1998; and (iii) is acontinuation-in-part of U.S. application Ser. No. 09/455,580, filed Dec.6, 1999, which claims the benefit of U.S. Provisional Application SerialNo. 60/152,769, filed Sep. 3, 1999. The disclosure of eachabove-referenced application is hereby incorporated by reference in itsentirety.

BACKGROUND

[0002] In many science and engineering computational problems, it isdesirable to outsource the computation to an external computing agent insuch a way that the customer's information is hidden from the externalagent, and yet the answers returned by the agent can be used to obtaineasily the true answer. The computations required to be performed on alocal computer are proportional to the size of the local input, which isunavoidable. The bulk of the computational task falls on the externalagent, which would typically be an entity with considerable computingpower, such as a supercomputing center. It is desirable to find a way toimprove these outsourcing techniques, and, in particular, to enablemultiple parties to contribute information to the outsourcedcomputation.

[0003] Rapid growth in the area of computer technology, includingnetworking schemes like the Internet, has facilitated the transmissionof data from a processing system at one site (the customer) to anothersite (the agent) to perform certain computations. Such “outsourcing” ofcertain computations may be desired, for example, when the customerlacks the hardware resources, software resources, or other know-how tocost-effectively perform the computations.

[0004] In one example, outsourcing is utilized in the financial servicesindustry, where, for instance, the customer data includes projections ofthe likely future evolution of certain commodity prices, interest andinflation rates, economic statistics, portfolio holdings, etc. Inanother example, outsourcing is utilized in the energy servicesindustry, where the proprietary data is typically seismic, and can beused to estimate the likelihood of finding oil or gas at a particulargeographic spot in question. The seismic data may be so massive that theperformance of corresponding matrix multiplication and inversioncomputations would be beyond the resources of most major oil companies.Many other industries can also benefit from outsourcing.

[0005] With the advent of computational outsourcing, concerns regardingthe agent's misappropriation of customer data or the computationalresults have arisen. These concerns arise not only with the customer,but also with an agent who wants to reduce the risk of misappropriationby its employees. One proposed technique is to utilize standardcryptographic techniques to encrypt the data sent by the customer to theagent. While encryption may enhance security with respect to anattacking third party, it still requires that the agent have access toat least some of the cryptographic information, such asencryption/decryption keys, to perform a meaningful calculation. As aresult, this technique still provides the agent ready access to theactual data. Moreover, such techniques assume the agent will be apermanent repository of the data, performing certain operations on itand maintaining certain predicates. In many instances, this situationalso is undesirable.

[0006] For the foregoing reasons, there is a need for techniquesenabling a customer to securely outsource computations to an agent. Thedesired techniques should reduce the risk of misappropriation by anagent or an agent's employee of a customer's data sent to an agent foran outsourced computation. Preferably, the desired techniques shouldenable a customer to disguise its data before disclosing it to an agent,without the need for encryption of the customer's data.

SUMMARY

[0007] The present invention relates to methods and systems for secureoutsourcing and disguise of computations, graphs, data, files,databases, and computer programs. Application of the methods and systemof the present invention reduces the risk of misappropriation by anagent or an agent's employee of a customer's data sent to an agent foran outsourced computation. The methods and systems of the presentinvention enable a customer to disguise its data before disclosing it toan agent, without the need for encryption of the data.

[0008] An embodiment of the present invention comprises a method forsecure computational outsourcing and disguise. According to thisembodiment, a first set of actual arguments and a second set of actualarguments for an outsourced computation are determined. A first group ofdisguised arguments corresponding to the first set of actual argumentsis prepared with a first computer. A second group of disguised argumentscorresponding to the second set of actual arguments is prepared with asecond computer. The first and second groups of disguised arguments areoutput from the first and second computers, respectively, forperformance of the outsourced computation. A result of the outsourcedcomputation performed with the disguised arguments then is received withthe first and second computers.

[0009] An embodiment of the foregoing method further comprises the stepof the first and second computers computing an actual answer from thereceived result. This step of computing an actual answer may comprisethe exchange of information between the first and second computers, theexchanged information being related to the preparation of the first andsecond groups of disguised arguments, thus permitting both the first andsecond computers to compute an actual answer from the result.

[0010] In another embodiment of the foregoing method, a third computerremotely located relative to the first and second computers receives thefirst and second groups of disguised arguments, performs the outsourcedcomputation, and sends the result to the first and second computers. Theresult of the outsourced computation is in a disguised form relative toanother result which would have been obtained by submitting the actualarguments to the outsourced computation.

[0011] Another embodiment of the present invention comprises a methodfor secure computational outsourcing and disguise. According to thisembodiment, a first computer is operated in accordance with one or moreinstructions to perform an outsourced computation. The first computerreceives from a first source and a second source a plurality ofdisguised arguments that obscure a plurality of actual arguments for theoutsourced computation. The first computer performs the outsourcedcomputation with the disguised arguments, and outputs a result of theoutsourced computation to both the first source and the second source.

[0012] Yet another embodiment of the present invention comprises amethod for secure computational outsourcing and disguise. According tothis embodiment, a first set of actual data is obtained. A firstcomputer prepares a first set of disguised data corresponding to thefirst set of actual data, then the first set of disguised data istransmitted from the first computer to a second computer. A second setof disguised data corresponding to a second set of actual data also isprepared. The first set of disguised data is compared to the second setof disguised data with the second computer. A result of the comparisonthen is transmitted from the second computer to the first computer.

[0013] An alternative embodiment of the foregoing method furthercomprises transmitting the second set of disguised data from a thirdcomputer to the second computer prior to comparing the first set ofdisguised data to the second set of disguised data. According to anotherembodiment of the foregoing method, the second set of actual data isstored in a database, and the third computer is operable to prepare thesecond set of disguised data from the database prior to transmitting thesecond set of disguised data to the second computer. In anotherembodiment of the foregoing method, the first set of actual data maycomprise data such as fingerprint identification data, DNA sequencedata, credit card data, image data, text data, biometric data, passworddata, keyword data, smart card data, and planar graph data.

[0014] An embodiment of the present invention comprises a method forsecuring data from unauthorized access, theft, and tampering. Accordingto this embodiment, the data and an associated computer program arestored in a computer memory. A disguising operation is performed on thedata, and a tamperproofing operation is performed on the computerprogram. In another embodiment of the foregoing method, the dataincludes a plurality of data elements and the disguising operationincludes the steps of generating a random number for each data element,and modifying each data element by adding one of the random numbers tothe data element. In yet another embodiment of the foregoing method, theseeds for generating the random numbers are obtained from the dataelements themselves.

[0015] Another embodiment of the present invention comprises analternative method for securing data from unauthorized access, theft,and tampering. According to this embodiment, the data and an associatedcomputer program are stored in a computer memory. The computer programis written in a first programming language. The computer program ispartitioned into a first program and a second program. The first programis executed to determine whether access to the data is authorized, thenthe second program is executed to entangle the second program and thedata. Lastly, the second program is translated into a second programminglanguage to secure the data.

[0016] An embodiment of the present invention comprises a method forsecuring a plurality of data elements from unauthorized access, theft,and tampering. According to this embodiment, the plurality of dataelements and an associated computer program are stored in a computermemory. The computer program is executed to generate a sequence ofrandom numbers. The sequence of random numbers is divided into aplurality of random number segments, and the plurality of data elementsare divided into a corresponding plurality of data segments. Aprogramming code segment associated with each of the random numbersegments is identified. To secure the data, the code segments and datasegments are interspersed in a file, and then each data element isreplaced with a code segment and a data segment in the file.

[0017] Another embodiment of the present invention comprises analternative method for securing data from unauthorized access, theft,and tampering. According to this embodiment, the data has an associatedfirst computer program written in a first programming language. The dataand the first computer program are stored on a computer. A secondprogramming language is created, as is a second computer program toemulate the second programming language. The second computer program isconfigured to be executed on the computer. To secure the data, the firstcomputer program is translated into the second programming languageusing the second computer program.

[0018] An embodiment of the present invention comprises a method forsecuring a picture from unauthorized access, theft, and tampering. Aplurality of points on the picture are identified, and a planar graph iscreated therefrom. Coordinates for each of the points on the planargraph are determined. The point coordinates are indexed to create avector, and then a disguising operation is performed on the vector.

[0019] An embodiment of the present invention comprises acomputer-implemented method for identifying the subject of a firstpicture by comparison to a second picture. According to this embodiment,a plurality of points on the first and second pictures are identified,and a first and a second planar graph, are respectively createdtherefrom. Coordinates for each of the points on each of the first andsecond planar graphs are determined, then the point coordinates for eachof the first and second planar graphs are indexed to create first andsecond vectors, respectively. A disguising operation is performed oneach of the first and second vectors. The disguised vectors of the firstand second graphs then are compared. A further embodiment of theforegoing method comprises the step of revealing the subject of thefirst picture by performing an unveiling operation on the firstdisguised vector.

[0020] An embodiment of the present invention comprises a method forsecuring a database from unauthorized access, theft, and tampering.According to this embodiment, the database is partitioned into acomputer program and a plurality of data entries, and a key is assignedto each data entry using the computer program. A disguising operationthen is performed on each key and on each data entry to secure thedatabase. In another embodiment of the foregoing method, the disguisingoperation includes the steps of generating random data using a randomdata generator, adding the random data to each data entry, and addingthe random data to each key to disguise the database.

[0021] An embodiment of the present invention comprises a method forsecuring computer program code from unauthorized access, theft, andtampering. According to this embodiment, the computer program code isoperable to perform a real operation on real input to produce a realoutput. A dummy program code operable to perform a dummy operation ondummy input to produce dummy output is created. Each of the real programcode and the dummy program code is replicated at least one time. Thereal operation is performed using the replicated input to produce afirst output. If the first output includes the real input, the realoperation is performed using the first output to produce a secondoutput. If the first output includes the dummy input, a dummy operationis performed using the first output to produce a third output. Thesecond output is stored as the real output, and the third output isstored as the dummy output.

[0022] An embodiment of the present invention comprises an alternativemethod for securing a computer program from unauthorized access, theft,and tampering. According to this embodiment, the computer programcomprises real programming code. Dummy program code is created. Each ofthe real program code and the dummy program code is replicated at leastone time. The dummy program code and the real program code are mixed toenhance the difficulty in understanding the computer program.

[0023] According to an embodiment of the present invention, a system forsecure outsourcing and disguise comprising a first computer and a secondcomputer is provided. The first computer is operable to define a firstset of actual arguments for an outsourced computation, and is programmedto determine a first group of disguised arguments from the first set ofactual arguments, wherein the first group of disguised argumentsobscures at least one characteristic of the first set of actualarguments. The second computer is operable to define a second set ofactual arguments for the outsourced computation, and is programmed todetermine a second group of disguised arguments from the second set ofactual arguments, wherein the second group of disguised argumentsobscures at least one characteristic of the second set of actualarguments. The first and second computers comprise first and secondoutput devices, respectively, to output the first and second groups ofdisguised arguments, respectively, for remote performance of theoutsourced computation. The first and second computers comprise firstand second input devices, respectively, to permit the receipt a resultof the outsourced computation performed with the first and second groupsof disguised arguments, respectively, the first and second computersbeing operable to determine an actual answer from the result. In anotherembodiment, the system further comprises a computing center programmedto perform the outsourced computation with the first and second groupsof disguised arguments.

[0024] The above-described embodiments of the present invention may bepracticed in the alternative or in combination. Further, theabove-described embodiments are merely illustrative and should not beconsidered restrictive or limiting, it being understood that otherforms, features, aspects, objects, and embodiments of the presentinvention shall become apparent from the drawings and descriptioncontained herein.

BRIEF DESCRIPTION OF THE DRAWINGS

[0025]FIG. 1 shows a diagrammatic view of a system according to anembodiment of the present invention.

[0026]FIG. 2 shows a flow chart of a process performed with the systemof FIG. 1 according to an embodiment of the present invention.

[0027]FIG. 3 shows a block diagram of an embodiment of selectedoperational elements for disguising arguments according to the processof FIG. 2.

[0028]FIG. 4 shows a block diagram of an embodiment of selectedoperational elements for recovering an actual answer from a disguisedresult according to the process of FIG. 2.

[0029]FIG. 5 shows a diagrammatic view of a system according to anembodiment of the present invention.

[0030]FIG. 6 shows a flow chart illustrating a matching operation usingdisguised data in accordance with an embodiment of the presentinvention.

[0031]FIG. 7 shows a diagram illustrating data ownership between twoparties according to an embodiment of the present invention.

[0032]FIG. 8 shows one example of a planar graph according to anembodiment of the present invention.

[0033]FIG. 9 shows an illustration of a planar graph according to anembodiment of the present invention representing a person's face.

[0034]FIG. 10 shows a flow diagram of one method of disguising a planargraph according to the present invention.

[0035]FIG. 11 shows a diagrammatic view of a system for securing dataand files according to the present invention.

[0036]FIG. 12 shows a flow diagram of one method of securing data andfiles according to the present invention.

[0037]FIG. 13 shows a flow diagram of another method of securing dataand files according to the present invention.

[0038]FIG. 14 shows a flow diagram of one method of disguising adatabase according to the present invention.

[0039]FIG. 15 shows an example of a tangle according to the presentinvention.

[0040]FIG. 16 shows a flow diagram of one method of disguising computerprograms according to the present invention.

DESCRIPTION

[0041] For the purpose of promoting an understanding of the principlesof the invention, reference will now be made to the embodimentsillustrated in the drawings and specific language will be used todescribe the same. It will nevertheless be understood that no limitationof the scope of the invention is thereby intended. Any alterations andfurther modifications in the described embodiments, and any furtherapplications of the principles of the invention as described herein arecontemplated as would normally occur to one skilled in the art to whichthe invention relates.

[0042]FIG. 1 illustrates system 20. System 20 includes data gatheringand processing subsystem 30 and computing center 50. Subsystem 30 isalternatively depicted as customer C, and computing center 50 isalternatively depicted as agent A. Subsystem 30 includes at least onecomputer 32. Computer 32 has memory 34, at least one input (I/P) device36, and at least one output (O/P) device 38. Computing center 50includes at least one computer 52 with memory 54, at least one input(I/P) device 56, and at least one output (O/P) device 58. Memories 34,54 each define at least one computer readable medium that is accessed bycomputers 32, 52, respectively.

[0043] In one example, computers 32, 52 are of the programmable, digitalvariety, and memories 34, 54 are comprised of one or more components ofa solid-state electronic type, an electromagnetic type like a hard diskdrive, an optical type like a Compact Disk Read Only Memory (CD ROM), ora combination of any two or more of these. In other embodiments,computer 32 or computer 52 and/or memory 34 or memory 54 may beotherwise configured as would occur to those skilled in the art.Typically, computers 32, 52 will differ in some regard with respect toone another as is more fully explained hereinafter; however, otherembodiments of the present invention may include computers 32, 52 thatare substantially the same.

[0044] Input devices 36, 56 may include standard operator input devicessuch as a keyboard, mouse, digitizing pen, dedicated equipment forautomatically inputting data, or such other devices as would occur tothose skilled in the art. Output devices 38, 58 may include one or moredisplays, printers, or such other types as would occur to those skilledin the art. Further, input devices 36, 56 or output devices 38, 58 maybe in the form of components that perform both input and outputoperations such as one or more modems or other communication links. Suchcomponents may alternatively be considered a computer transmissionmedium for sending and receiving data.

[0045]FIG. 1 depicts network 40 communicatively coupling subsystem 30and computing center 50. Network 40 may be an Internet connection orother form of network as would occur to those skilled in the art.Further, portable memory medium 42 is shown as another means ofexchanging data between subsystem 30 and computing center 50. Portablememory medium 42 may be in the form of one or more electromagneticdisks, tapes, or cartridges, optical disks, or such other form as wouldoccur to those skilled in the art. It should be appreciated that network40 and medium 42 may each be considered as being one of input devices34, 54 and/or one of output devices 38, 58; and alternatively may eachbe regarded a type of data transmission medium for the transmission ofcomputer data.

[0046] Referring now to FIG. 2, outsourcing process 120 is shown. Instage 131 of process 120, subsystem 30 identifies and collects a groupof actual arguments AA for a computation to be outsourced. As usedherein, “argument” refers broadly to any symbol, value, function,description, code, or other mathematical object or other equivalentthereto that is input to a computation. Typically, subsystem 30 is notas desirable as computing center 50 for performance of the computationdesignated for outsourcing. This distinction may arise from one or moredifferences relating to hardware, software, operator expertise, oravailable processing 5 time. However, in other embodiments, the decisionto outsource a particular computation may be independent of any suchdifferences.

[0047] Once arguments are determined in stage 131, the outsourcedcomputation is classified into one of a number of types in stage 133. Anonexclusive listing of computation types that may be good candidatesfor outsourcing is provided in Table I as follows: TABLE I No. Type 1.Matrix Multiplication 2. Matrix Inversion 3. Solution of a Linear Systemof Equations 4. Quadrature 5. Convolution 6. Numerical Solution ofDifferential Equations 7. Optimization 8. Solution of a Nonlinear System9. Image Edge Detection 10. Image Template Matching 11. Sorting 12.Character String Pattern Matching

[0048] It should be appreciated that the list of Table I is merelyillustrative, and that other types of outsourced computations andclassifications may be utilized in other embodiments. For example, thoseskilled in the art will appreciate that computational types such asintegral equations, statistical regression and correlations, naturallanguage processing, biometric data matching, database analysis, datamining, and classification problems such as medical diagnosis,vulnerability assessments, mechanical trouble shooting, and computererror diagnosis all are within the scope of the present invention.

[0049] After classification, process 120 resumes with operation 220 todetermine a set of disguised arguments DA based on the outsourcedcomputation classification and the actual arguments AA. Disguisedarguments DA are created in operation 220 to hide the nature of actualarguments AA from the agent A selected to perform the outsourcedcomputation, but at the same time to permit recovery of a meaningfulactual answer SA by customer C from data provided by the computation.Several nonexclusive examples of the preparation of disguised argumentsDA and recovery of actual answer SA are provided hereinafter inconnection with the description of FIGS. 3 and 4.

[0050] Once disguised arguments DA are prepared, subsystem 30 (customerC) sends disguised arguments DA to computing center 50 (agent A) toperform the outsourced computation in stage 135. The transmission instage 135 may also include instructions regarding the type of outsourcedcomputation. Alternatively, the nature of the computation may beestablished either before or after disguised arguments DA are sent.Disguised arguments DA and any instructions concerning the outsourcedcomputation to be performed may be transmitted to computing center 50via network 40, through portable computer readable medium 42, acombination of these, or through such other means as would occur tothose skilled in the art.

[0051] In stage 151, computing center 50 performs the designatedcomputation with disguised arguments DA. For example, computer 52 mayexecute programming instructions stored in memory 54 to perform thiscomputation. In one example, computer 52 of computing center 50 isprogrammed to perform several different types of computations includingone or more of those listed in Table I. Because disguised arguments DAare used, the result of the outsourced computation performed bycomputing center 50 typically differs from the actual answer SA thatwould have resulted if the outsourced computation had been performedwith the actual arguments AA. The result for the computation performedwith disguised arguments DA is then, in turn, hidden or disguised and isdesignated as disguised result DR. Computing center 50 sends disguisedresult DR back to subsystem 30 in stage 152. Subsystem 30 receivesdisguised result DR in stage 161 and recovers the desired actual answerSA in operation 260. The recovery of actual answer SA is described ingreater detail in connection with FIGS. 3 and 4 and the examples thatfollow.

[0052] It should be appreciated that disguised arguments DA anddisguised result DR are the only information available to computingcenter 50, such that the true nature of the data and answer for theselected outsourced computation are hidden through process 120.Consequently, outsourcing process 120 provides a measure of securityrelative to simply trusting agent A with the actual arguments AA and/oractual answer SA. Further, the degree of security may be varied inaccordance with the particular nature of the outsourced computation andvarious parameters associated with operations 220 and 260 of process120, as will be discussed in more detail hereinafter.

[0053] Referring now to FIGS. 3 and 4, the preparation of disguisedarguments DA and the recovery of actual answer SA are further describedas performed by operations 220 and 260, respectively. FIGS. 3 and 4 bothinclude a block representative of outsourcing security program 230.Program 230 resides in memory 34 and is configured to be executed bycomputer 32. In FIG. 3, program 230 receives actual arguments AA asinput 222. Program 230 also receives input 224. Input 224 indicates thetype of outsourced computation as determined through the classificationperformed in stage 133.

[0054] Program 230 has access to one or more pseudorandom numbergenerators 232 residing in the form of one or more executablesubroutines in memory 34. Also, memory 34 includes disguise library 234.Library 234 includes a number of different forms of argument disguiseoperations one or more of which are used to form a given set ofdisguised arguments DA. Various classes of the disguised operations arelisted in Table II that follows: TABLE II No. Class 1. Random Objects 2.Linear Operator Modification 3. Object Modification 4. Domain and/orDimension Modification 5. Coordinate System Modification 6. Identitiesand Partitions of Unity

[0055] The listing of Table II is meant to be merely representative, itbeing understood that other forms and classes of disguises mayalternatively or additionally be included as would occur to thoseskilled in the art. For example, those skilled in the art willappreciate that disguising operations such as domain mapping, logicalidentity substitution, and inserting redundant computations all arewithin the scope of the present invention.

[0056] The first class of disguises are random objects: numbers,vectors, matrices, permutations, or functions, to name a few. Theseobjects are “mixed into” the computation in some way to disguise it, andare at least in part created from random numbers. If the numbers aretruly random, then they should be saved in record 236 for use in thedisguise and recovery of actual answer SA. If the random numbers comefrom a pseudorandom number generator, such as generators 232, then it issufficient to save the seed and parameters of the generator in record236.

[0057] Under some circumstances, it may be desirable to hide as muchinformation as possible about the characteristics of the random numbergeneration technique utilized. It should be appreciated that once thedistribution characteristics are known, it may become easier to detecttrue data being obscured by the random numbers. For example, if randomnumbers generated uniformly in some interval centered at zero where eachrandom number is added to a different entry of a large vector to behidden, the random values would not do a good job of “hiding” the truevalues of the vector entries because the sum of the modified vectorentries would be very close to the sum of the true value entries of thevector given the relationship of the random values to zero.

[0058] In one embodiment, rather than using a pseudorandom numbergenerator with the same probability distribution for every random numberutilized, the exact form of distribution used may be varied from onerandom value to the next. Thus, random number generators 232 each mayhave a different distribution to better hide their correspondingprobabilistic characteristics. For this approach, random numbergenerators 232 may further be arranged to provide a one-time randomsequences. To illustrate, let four random number generators 232 bedesignated as: G1=a uniform generator with upper range and lower rangeparameters; G2=normal generator with mean and standard deviationparameters; G3=exponential generator with mean and exponent parameters;and G4=gamma generator with mean and shape parameters. Thus, for thisillustration each generator G1-G4 has a different pair of distributionparameters. Twelve random numbers are selected. The first eight are theparameter pairs of the four generators G1-G4 and the other four are theα₁, α₂, α₃, α₄ coefficients used to create the one time random sequence,as indicated by expression (1) that follows:

α₁G1+α₂G2+α₃G3+α₄G4  (1)

[0059] Note that in creating this one set of random numbers, a total of16 numbers are used, the 8 generator parameters, the 4 coefficientsα₁-α₄, and 4 seeds for generators G1-G4, respectively. In otherembodiments, a different number and configuration of random numbergenerators may be utilized to provide a desired set of random numbers,according to a desired level of security for a given problem. In analternative embodiment, the desired level of security for a givenproblem may not require more than one random number generator to providedesired random objects. For still another embodiment, random numbers maynot be used at all, instead utilizing other disguise operationsaccording to the present invention. For this embodiment, generators 232may be absent.

[0060] One way security techniques based on random numbers might bedefeated includes a type of “statistical attack” that attempts to deriveinformation about a given random number generator through matching thenumbers to those produced by known random number generation techniques.Typically, the amount of processing needed to derive such informationfor robust random number generators is cost prohibitive. However, thistype of attack may still be of concern in alternative embodiments wherea higher level of security is desired—especially with the rapidadvancement of computer processing technology making large scalegeneration of random numbers required for such an attack less costly.

[0061] Correspondingly, in addition to the one-time random sequencegeneration techniques previously described in connection with expression(1), the resistance of random number generators to a statistical attackin such alternative embodiments may be addressed by: (a) using randomnumber generators 232 with real valued parameters having at least a 32bit length whenever possible; (b) restarting random number generators232 from time-to-time with new input values; and/or (c) changing thetype of random number generators 232 used from time-to-time.

[0062] Another type of statistical attack is to attempt to determine theparameters of the probability distribution used to generate a group ofrandom numbers. For this type, one can estimate the moments of theprobability distribution by computing the moments of a collected sampleof generated random numbers. The mean of the sample of size N convergesto the mean of the distribution with an error that generally behavesaccording to O(1/{square root}{square root over (N)}); where thefunction O(x) denotes “processing time on the order of x.” Thus, thefunction O(

[0063]1/{square root}{square root over (N)}) corresponds to processingtime on the order of 1/{square root}{square root over (N)}. While thisrate of convergence is slow, a large sample with N=10,000,000 may beutilized to provide estimates of moments with accuracy of about 0.03%.An alternative embodiment may be arranged to address thisparameter-based statistical attack by: (a) using random numbergenerators 232 with complex probability distribution functions toincrease the number of different moments that need the attacker needs todefeat the security; (b) restarting the random number generator fromtime-to-time with new input values such that the sequence size generatedwith a given value is restricted; (c) increase the number of parametersutilized to characterize the random number generator probabilitydistribution function; and (d) using data values to generate seeds forrandom number generators and occasionally replacing randomly generatedvalues by actual data values or other data dependent values.

[0064] Once random numbers have been provided using one or more of theseembodiments, then random vectors, matrices, and arrays may be generatedusing standard techniques. Random objects with integer (or discrete)values, such as permutations, also can be created from random numbersusing standard techniques.

[0065] Random objects may further include determining one or more randomfunctions in accordance with a set of random numbers. One embodiment ofa random function determination routine that may be provided in program230 begins with the selection of the dimension or basis of acorresponding function space F. Typically the basis should be relativelyhigh to promote a greater degree of security. For example, a basis of 10or 30 functions for a high dimensional space F of functions may beselected. Next, a random point in F is determined with one or moregenerators 232 to obtain a random function. The selection of the basisand other parameters, such as the domain and range of the desired randomfunctions should be selected to be compatible with the computation to bedisguised and generally should have high linear independence when astable inversion of disguised results DR is desired.

[0066] To provide space F as a one-time random space, the followingprocess may be included in the routine:

[0067] (a) Define the domain of the computation to correspond to a box(interval, rectangle, box, or other corresponding construct depending onthe selected dimension).

[0068] (b) Select a random rectangular grid in the box with 10 lines ineach dimension and assure a minimum separation.

[0069] (c) Generate K sets of random function values at all the gridpoints (including the boundaries), one set for each basis functiondesired (these values are selected to be in a desired range).

[0070] (d) Interpolate these values by cubic splines to create K basisfunctions. The cubic splines may be formed in accordance with C. deBoor,A Practical Guide to Splines, SIAM Publications, (1978) which is herebyincorporated by reference in its entirety. It should be appreciated thatcubic splines are smooth and have two continuous derivatives.

[0071] (e) Add a basis for quadratic polynomials to this set of K basisfunctions.

[0072] This approach can be modified to make many kinds of one-timerandom spaces of functions. If functions with local support are needed,the cubic splines may be replaced with Hermite quintics as described indeBoor. If it is desirable for the functions to vary more in one part ofthe domain than another, then the grid may be refined in thecorresponding part. If it is desirable for the functions to be more orless smooth, then the polynomial degree and smoothness of the splinesmay be adjusted as appropriate, as described in deBoor. In still otherembodiments, other techniques of random function generation may beutilized as would occur to those skilled in the art.

[0073] One way an attacker might try to defeat disguises based on randomfunctions is through an “approximation theoretic attack.” This type ofattack can based on observations about the approximating power of thedisguised functions. In one example, let u(x) be an original function,and f(x) be a disguise function in function space F such thatg(x)=u(x)+f(x) is observable by agent A. Agent A may evaluate g(x)arbitrarily and, in particular, agent A might (if F were known)determine the best approximation g*(x) to g(x) from F. Then thedifference g*(x)−g(x) equals u*(x)−u(x) where u*(x) is the bestapproximation to u(x) from F. Thus g*(x)−g(x) is entirely due to u(x)and gives some information about u(x).

[0074] An alternative embodiment arranged to address an approximationtheoretic attack includes choosing F to have very good approximatingpower so that the size of g*(x)−g(x) is small. For example, if u(x) isan “ordinary” function, then including in F the cubic polynomials andthe cubic splines with 5 or 10 breakpoints (in each variable) generallyimproves approximation power. If u(x) is not “ordinary” (e.g., is highlyoscillatory, has boundary layers, has jumps or peaks) then includingfunctions in F with similar features reduces the ability of agent A todiscover information about u(x) from g(x). Another aspect that makesthis kind of attack more difficult is to establish F as a one-timerandom space as previously described. For this aspect, because F itselfis then unknown, the approximation g*(x) cannot be computed accuratelyand any estimates are correspondingly less uncertain. Still a furtheraspect is to approximate the function object u(x) with high accuracy,such as a variable breakpoint piecewise polynomial, and adding one ormore disguise functions with the same breakpoints and different values.Yet, in other embodiments, it may not be desired to take additionalmeasures to address a statistical attack, an approximation theoreticattack, or both.

[0075] The second class of disguise operations include linear operatormodification, where the operator equation is of the form Lu=b. Forexample, the linear and differential equations of the followingexpressions (2) and (3), respectively, are of this form:

linear equations: Ex=b  (2)

differential equations: y″+cos(x)y′+x ² y=1−xe ^(−x)  (3)

[0076] This second class of disguises exploits linearity by randomlychoosing v that is the same type of mathematical object as u, and thensolving L(u+v)=b+Lv, where Lv is evaluated to be the same mathematicalobject type as b. In one embodiment, v is selected to be a combinationof a random function and functions that already appear in the equation.For example, one could choose v(x) in the above differential equation(3) to be v_(Ran)(x)+4.2 cos(x)−2.034xe^(−x); where v_(Ran)(x) is therandom function component. In still other embodiments, differentsubstitutions may be made as would occur to those skilled in the art.

[0077] A third class of disguise operations modify various mathematicalobjects of the computation to be outsourced. Such modifications mayinclude addition or multiplication to disguise the computation. Oneexample of an objection modification disguise is to add a randomfunction to an integral as exemplified by expression (4) that follows:$\begin{matrix}{\int_{0}^{1}{\sqrt{x}{\cos \left( {x + 3} \right)}}} & (4)\end{matrix}$

[0078] In another example of object modification, the solution of theEx=b may be disguised by multiplying with 2 random diagonal matrices, D₁and D₂, to provide B=D₁ED₂ with subsystem 30; where E is an n×n matrixand b is a corresponding vector of n. The resulting matrix B is thenprovided as part of the outsourced computation of expression (5) asfollows:

By=D₁b  (5)

[0079] The solution x is then obtained from x=D₂y.

[0080] In a fourth class of disguises, the domain or dimensions, aremodified. Modification techniques may include expansion, restriction,splitting or rearrangement. In an example of expansion, the evaluationof the integral of expression (6) that follows: $\begin{matrix}{\int_{0}^{1}{\sqrt{x}{\cos \left( {x + 3} \right)}}} & (6)\end{matrix}$

[0081] or solution of the problem of related type on [3,5] as shown inexpression (7) that follows:

y′(x)=(x+y)e ^(−xy) , y(3)=1  (7)

[0082] can be modified by expanding [0,1] to [0,2] and [3,5] to [2,5],respectively. In the case of expression (6), a random function u(x) isselected from function space F with u(1)=cos(4); it is integrated on[1,2]; and {square root}{square root over (x)} cos(x+3) is extended to[0,2] using u(x). In the second case of expression (7), a randomfunction u(x) is selected from function space F with u(3)=1 andu′(3)=4e⁻³. Its derivative u′(x) and its value u(2) are computed, andthe following expressions (8) is solved with initial conditiony′(2)=u′(2): $\begin{matrix}\begin{matrix}{{y^{\prime}(x)} = \quad {\left( {x + y} \right)e^{- {xy}}}} & {\quad {{on}\quad\left\lbrack {3,5} \right\rbrack}} \\{= \quad {u^{\prime}(x)}} & {\quad {{on}\quad\left\lbrack {2,3} \right\rbrack}}\end{matrix} & (8)\end{matrix}$

[0083] In an example of restriction, the dimension of a linear algebracomputation is decreased by performing a part of it with subsystem 30,and outsourcing the rest. For example, in solving Ex=b, (where E is ann×n matrix and b is a corresponding vector of dimension n), one of theunknowns is selected and eliminated by Gauss elimination at random bycustomer C (subsystem 30); and the remaining computation is then sent tothe agent A (computing center 50). Correspondingly, the order of thematrix changes by 1 and, further, it modifies all the remaining elementsof E and b.

[0084] In an example of splitting, a problem is partitioned intoequivalent subproblems by splitting the domain. In the case ofquadrature, this technique may be readily applied. The linear algebraproblem Ax=b, (where A is an n×n matrix and b is a corresponding vectorof dimension n), can be split by partitioning in accordance with thefollowing expression (9): $\begin{matrix}{A = \begin{pmatrix}A_{11} & A_{12} \\A_{21} & A_{22}\end{pmatrix}} & (9)\end{matrix}$

[0085] and creating two linear equations as shown in followingexpressions (10) and (11):

A ₁₁ x ₁ =b ₁ −A ₁₂ x ₂  (10)

(A ₂₂ −A ₂₁ A ₁₁ ⁻¹ A ₁₂)x ₂ =b ₂ −A ₁₁ ⁻¹ b ₁  (11)

[0086] In another example, the differential equation problem of thefollowing expression (12):

y′(x)=(x+y)e ^(−xy) and y′(3)=1 on [3,5]  (12)

[0087] can be split into the expressions (13) and (14) that follow:

y′(x)=(x+y)e ^(−xy) y′(3)=1, on [3,4]  (13)

y′(x)=(x+y)e ^(−xy) y′(4)=as computed, on [4,5]  (14)

[0088] Accordingly, splitting may be utilized to disguise differentcomputation parts in different ways.

[0089] A fifth class of disguise operations include utilizing one ormore coordinate system changes. A related disguise for discreteproblems, such as a linear algebra computations, are permutations of thecorresponding matrix/vector indices. Coordinate system changes have beenfound to be particularly effective for enhancing security of outsourcedcomputations concerning optimization and solutions to nonlinear systems.For example, consider the two-dimensional partial differential equation(PDE) problem of the following expressions (15): $\begin{matrix}\begin{matrix}{{{\nabla^{2}{f\left( {x,y} \right)}} + {\left( {6.2 + {12{\sin \left( {x + y} \right)}}} \right)f}} = {g_{1}\left( {x,y} \right)}} & {\quad {\left( {x,y} \right)\quad {in}\quad R}} \\{{f\left( {x,y} \right)} = {b_{1}\left( {x,y} \right)}} & {\quad {\left( {x,y} \right)\quad {in}\quad R_{1}}} \\{{f\left( {x,y} \right)} = {b_{2}\left( {x,y} \right)}} & {\quad {\left( {x,y} \right)\quad {in}\quad R_{2}}} \\{{\frac{\partial{f\left( {x,y} \right)}}{\partial x} + {{g_{2}\left( {x,y} \right)}{f\left( {x,y} \right)}}} = {b_{3}\left( {x,y} \right)}} & {\quad {\left( {x,y} \right)\quad {in}\quad R_{3}}}\end{matrix} & (15)\end{matrix}$

[0090] where R₁, R₂, and R₃ comprise the boundary of R. To implement thechange of coordinates, u=u(x,y), v=v(x,y), one must be able to invertthe change, that is find the functions x=x(u,v), y=y(u,v) and computederivatives needed in the PDE as given in the following expression (16):$\begin{matrix}{\frac{\partial^{2}f}{\partial x^{2}} = {{\frac{\partial^{2}f}{\partial u^{2}}\left( \frac{\partial^{2}u}{\partial x^{2}} \right)^{2}} + {\frac{\partial f}{\partial u}\frac{\partial^{2}u}{\partial x^{2}}} + {\frac{\partial^{2}f}{\partial v^{2}}\left( \frac{\partial v}{\partial x} \right)^{2}} + {\frac{\partial f}{\partial v}\frac{\partial^{2}u}{\partial x^{2}}}}} & (16)\end{matrix}$

[0091] The change of coordinates produces an equivalent PDE problem onsome domain D in (u,v) space of the form given by the followingexpression (17): $\begin{matrix}\begin{matrix}{{\sum\limits_{i,{j = 0}}^{2}{{a_{ij}\left( {u,v} \right)}\frac{\partial^{i}\partial^{i}}{{\partial u^{i}}{\partial u^{j}}}{f\left( {u,v} \right)}}} = {h_{1}\left( {u,v} \right)}} & {\left( {u,v} \right){\varepsilon S}} \\{{f\left( {u,v} \right)} = {c_{1}\left( {u,v} \right)}} & {\left( {u,v} \right){\varepsilon S}_{1}} \\{{f\left( {u,v} \right)} = {c_{2}\left( {u,v} \right)}} & {\left( {u,v} \right){\varepsilon S}_{2}} \\{{{{d_{1}\left( {u,v} \right)}\frac{\partial{f\left( {u,v} \right)}}{\partial u}} + {{d_{2}\left( {u,v} \right)}\frac{\partial{f\left( {u,v} \right)}}{\partial v}} + {{d_{3}\left( {u,v} \right)}{f\left( {u,v} \right)}}} = {c_{3}\left( {u,v} \right)}} & {\left( {u,v} \right){\varepsilon S}_{3}}\end{matrix} & (17)\end{matrix}$

[0092] where S₁, S₂, and S₃ are the images of R₁, R₂, and R₃, and thefunctions a_(ij)(u,v), h₁(u,v), c_(i)(u,v), d_(i)(u,v) are obtained fromsubstituting in the changes of variables and collecting terms.

[0093] There are a number of coordinate changes where the inverse isknown explicitly. In cases where the availability of this knowledge mayunacceptably compromise security, other coordinate changes may beutilized by determining the inverse numerically. In one embodiment, theprocedures described to create one-time coordinate changes usingparameterized mappings with randomly chosen parameters in C. J. Ribbens,A Fast Adaptive Grid Scheme for Elliptic Partial Differential Equations,ACM Trans. Math. Softw., 15, (1989), 179-197; or C. J. Ribbens,Parallelization of Adaptive Grid Domain Mappings, In Parallel Processingfor Scientific Computing, (G. Rodrique, ed.), SIAM, Philadelphia,(1989), 196-200) may be utilized to numerically determine inverses forthis class of disguise, and are hereby incorporated by reference intheir entirety herein. In one variation of this embodiment, coordinatechanges in the variables are made independently such as: u=u(x) andv=v(y).

[0094] A sixth class of disguises include substitution with equivalentmathematical objects, such as identities, and partitions of unity. Ithas been found that this type of disguise improves security even whenrandom objects are readily separated from “actual” objects of a givencomputation.

[0095] Examples of identities that might be utilized in this way includethe following collection of expressions (18):

a ² −ax+x ²=(a ³ +x ³)/(a+x)

log(xy)=log x+log y

1+x=(1−x ²)/(1−x)

sin(x+y)=sin x cos y+cos x sin y

cos² x=sin² y+cos( x+y)cos(x−y)

p cos x+q sin(y)={square root}{square root over (p ² +q ²)}cos(x−cos⁻¹(p/{square root}{square root over (p²+q)}))

sin(3(x+y))=3 sin(x+y)−4 sin³(x+y)  (18)

[0096] Thus, if any component of these identities appears symbolicallyin a computation, the equivalent expression can be substituted todisguise the problem. A general source of useful identities for thisclass of disguise comes from the basic tools for manipulatingmathematics, e.g., changes of representation of polynomials (power form,factored form, Newton form, Lagrange form, orthogonal polynomial basis,etc.), partial fraction expansions or series expansions. Other relationsthat may be useful in disguises of this kind include the Gamma, Psi, andStruve functions as respectively defined by expressions (19)-(21) asfollows:

┌(x+1)=x┌(x);  (19)

ψ(x+1)=ψ(x)+1/x; and  (20)

H _(½)(x)=(2/πx)^(½)(1−cos x).  (21)

[0097] The functions of expressions (19)-(21) can be combined withselected expressions (18) to provide the following identity expressions(22) and (23):

sin(x)=[sin(ψ(1+1/x)+x)−sin(ψ(1/ 0 x))cos x]/cos(ψ(1/x))  (22)

log(x)=log┌(x)+log(┌(x=1)H _(½)))−log(1 −cos x)+½log(πx/2)  (23)

[0098] Identities that are equal to 1 are generally referred to aspartitions of unity. Partitions of unity can be readily used in a givencomputation. Examples of this form of identity are collected as thefollowing expressions (24):

sin² x+cos² x=1

sec ²(x+y)−tan²(x+y)=1

(tan x+tan y)/tan(x+y)+tan x tan y=1

b ₁(r,x)+b ₂(r,s,x)+b ₃(r,s,x)+b ₄(s,x)=1

[0099] where the b_(i) are “hat” functions defined by:

[0100] b₁(r,x)=max(1−x/r,0)

[0101] b₂(r,s,x)=max(0, min(x/r,(s−x)/(s−r)))

[0102] b₃(r,s,x)=max(0,min((x−r)/(s−r),(1−x)/(1−s)))

[0103] b₄(x,s)=max(0,(x−s)/(1−s))

[0104] each of which is a piecewise linear function with breakpoints at0, r, s, and/or 1. Generalizations of this partition of unity are knownfor an arbitrary number of functions, arbitrary polynomial degree,arbitrary breakpoints, and arbitrary smoothness (less than thepolynomial degree). Partitions of unity facilitate the introduction ofunfamiliar and unrelated functions into symbolic expression. Thus thesecond partition of expressions (24) above becomes the followingexpression (25):

sec ²(y ₇(x)+u(1.07296, x))−tan²(y ₇(x)+u(1.07296,x))=1  (25)

[0105] where y₇(x) is the Bessel function of fractional order andu(1.07296,x) is the parabolic cylinder function. R. F. Boisvert, S. E.Howe, and D. K. Kahaner, Guide to Available Mathematical Software(GAMS): A Framework for the Management of Scientific Software, ACMTrans. Math. Software, 11, (1995), 313-355, lists 48 classes offunctions which can be used in such identities and for which librarysoftware is available, and is hereby incorporated by reference.

[0106] Further, disguises may be enhanced by using functions andconstants that appear in the actual arguments AA. Thus, if 2.70532, x²,cos(x), and log(x) initially appear in an ordinary differentialequation, one could use identities that involve these objects or closelyrelated ones, e.g., 1.70532, 2x²−1, cos(2x); or log (x+1). Because ofthe difficulty in establishing identities, it is expected that usingseveral identities in a mathematical model provides a correspondingincrease in the degree of security. Further, one-time identities may beprovided. For example, there are several library programs to compute thebest piecewise polynomial approximation to a given function f(x) witheither specified or variable breakpoints as described in C. deBoor andJ. R. Rice, An Adaptive Algorithm for Multivariate Approximation GivingOptimal Convergence Rates, J. Approx. Theory, 25, (1979), 337-359; andC. deBoor, A Practical Guide to Splines, SIAM Publications, (1978), thatare hereby incorporated by reference in their entirety herein. It shouldbe appreciated that with these techniques, the number of breakpointsand/or polynomial degrees can be increased to provide arbitraryprecision in these approximations. Thus, given the following expression(26):

f(x)=sin(2.715x+0.12346)/(1.2097+x ^(1.07654))  (26)

[0107] or that f(x) is computed by a 1000 line code, one can use theselibrary routines to replace f(x) by a code that merely evaluates apiecewise polynomial with “appropriate” coefficients and breakpoints.One time identities may also use the classical mathematical specialfunctions that have parameters, e.g., incomplete gamma and betafunctions, Bessel function, Mathieu functions, spheroidal wavefunctions, and parabolic cylinder functions as further described in M.Abramowitz and I. A. Stegun, Handbook of Mathematical Functions, Appl.Math. Series 55, National Bureau of Standards., U.S. Govt. PrintingOffice, (1964) that is hereby incorporated by reference in its entiretyherein.

[0108] Having described a few different classes of disguises as listedin Table II, it should be appreciated that this description is notintended to be exclusive; it being understood that other types ofdisguises as would occur to those skilled in the art also arecontemplated. Further, while in some embodiments it is desirable toapply only one particular disguise operation prior to outsourcing, inother embodiments it may be desirable to enhance the degree of securityby applying multiple disguise operations. Indeed, for a given type ofoutsourced computation, within each class of Table II there may beseveral or many disguises that can be simultaneously utilized with orwithout disguises of one or more other classes. Likewise, some classesof disguises in library 234 may be better suited to obscure or hide theactual arguments AA for a given type of outsourced computation thanothers. For example, it has been found that coordinate system changesare one of the more effective disguises for outsourced computationsinvolving optimization and solutions of nonlinear systems.

[0109] The selection of one or more disguises from library 234 andconstruction of a multiple disguise procedure may be based on severalfactors. One factor is the motivation to outsource. If the motivationincludes a relative savings in processing time, then the time taken toperform operations 220, 260 should not defeat such savings. For example,if the problem domain involves n×n matrices, then an operation count foroperations 220, 260 on the order of n² might be acceptable to providesecurity for an outsourced computation that has an operation count onthe order of n³, as is commonly associated with matrix inversion andmultiplication. However, if the motivation concerns other matters suchas availability of software or programming expertise, the relativeprocessing time may be unimportant. Moreover, it should be understoodthat the invention is not intended to be limited to a particularmotivation or relative distinction regarding the outsourced computation.

[0110] Another factor is the invertability of the disguised result DRonce the outsourced computation is completed. For example, it may bedesired that the disguise be fully invertible that is, after thedisguise is applied and the disguised computation made, an actual answerSA may be recovered that corresponds to actual arguments AA. Still, inother embodiments, it may only be desired that an approximated recoverybe performed, so that the degree of recovery of actual answer SA mayvary.

[0111] Still another factor is the degree of security afforded by agiven form of disguise. Ideally, once a given disguise is applied, agentA (computing center 50) should not be able to discover either theoriginal computation or its result; however, in practice, the level ofsecurity utilized may vary for a given situation. Yet another factor toconsider is the relative cost of a particular disguise procedure.Generally, this operates as a trade-off with the degree of securitysought. Program 230 is arranged to provide sequencing control of adisguise, outsourcing, retrieval, and disguise inversion actions. Aspart of operation 220 shown in FIG. 3, program 230 receives the actualarguments AA as input 222 and the type of computation selected to beoutsourced as input 224. In response, program 230 selects one or moredisguise operations from library 234 in accordance with a suitabledisguise procedure for inputs 222, 224. Program 230 may include a numberof predetermined disguise procedures based on input 222 and/or input224, operator input, one or more routines to synthesize a suitableprocedure, or a combination of these.

[0112] In one embodiment, a routine to synthesize or suggest thedisguise procedure may be determined, at least in part, from inputscorresponding to one or more of the previously described factors listedas follows: (a) outsourced computation type, (b) type/quantity of actualarguments, (c) processing constraints of subsystem 30 (such as theamount of preparation/recovery processing to be performed by subsystem30), (d) motive for outsourcing, (e) degree of security desired, and (f)cost constraints. In still other embodiments, these factors may not beconsidered by program 230. Indeed, in one alternative embodiment, theparticular disguise procedure is completely manually entered by anoperator.

[0113] Once the disguise procedure is determined, program 230 constructsthe disguised arguments DA using the selected disguise operations fromlibrary 234. Program 230 also coordinates the storage of appropriatedisguise parameters in outsourced computation record 236 for laterretrieval to recover the actual answer SA. Among its disguise operationroutines, program 230 includes one or more routines to provideappropriate random objects with random number generators 232 as neededfor a particular disguise procedure. A record 236 is maintained byprogram 230 for each outsourced computation at least until a result isreceived and processed via operation 260. Typically, the recordedparameters include relevant random numbers or corresponding keys for oneor more random numbers, the selected disguise operations applied, areference to actual arguments AA corresponding to the given outsourcedcomputation, and such other information as required to recover actualanswer SA. After the disguised arguments DA are created, they are sentto the selected agent A, such as computing center 50, as output 250.

[0114] Depending on a given disguise procedure, a substantial number of“keys” may be needed to reconstruct an actual answer SA from a disguisedresult DR. For example, if a significant number of random objects areused, random number generator parameters, generator seeds, relatedcoefficients, and/or perhaps the random numbers themselves may bemaintained in a corresponding record 236. It may be desirable to avoidkeeping and labeling these keys individually. In one alternativeembodiment of program 230, a “master key” is created that may be storedin record 236 in lieu of a large number of keys for a given outsourcedcomputation. This master key is provided to create an arbitrary numberof derived keys or “sub-keys.” For this embodiment, let K be the masterkey and k_(i), i=1,2, . . . ,N, be the sub-keys (where “i” is an integerindex variable). The sub-keys k_(i) are derived from K by a procedure Psuch as the following:

[0115] (a) represent K as a long bit string (a 16 character key Kgenerates 128 bits using ASCII notation);

[0116] (b) generate a bit string of length 128 bits with a random numbergenerator G for each i=1,2, . . . ,N; and

[0117] (c) apply the randomly generated bit string of length 128 as amask on the representation of K—select those bits of K where the randombit is one.

[0118] Thus, with a single key K and a random number generator G (suchas one of generators 232), we can create many sub-keys. It should beappreciated that for procedure P, each k_(i) is easily derived from K;however, knowledge of even a substantial set of the k_(i) gives noinformation about K even if the generation procedure P is known.Correspondingly, because many of the sub-keys may be seeds or parametersfor random number generators, large sets of random numbers can be usedwith a reduced risk of revealing the master key or other sub-keys evenif a statistical attack on this aspect of the disguise is successful.

[0119] Referring to FIG. 4, program 230 receives disguised result DRfrom computing center 50 as input 262. Program 230 references thecorresponding record 236 to determine the processing needed to recoveractual answer SA from the disguised result DR. The actual answer SA isprovided as output 264 by program 230.

[0120] Having described process 120 and operations 220, 260, thefollowing examples of different types of outsourced computations aredescribed, it being understood that these examples are merelyillustrative and should not be considered limiting or restrictive incharacter. These examples are described in terms of system 20 andprocess 120; however, other systems and processes may be utilized toexecute these examples as would occur to those skilled in the art.Further, it should be understood that program 230 may includeinstructions or routines in accordance with one or more of the disguiseoperations of these examples, but one or more different programs and/oroperator input of one or more operations may be utilized. Likewise,computer 52 of computing center 50 may be programmed to execute theoutsourced computations associated with these examples, or differentagents A may be used for the various procedures described in theexamples.

EXAMPLE ONE

[0121] Matrix multiplication of two n×n matrices M₁ and M₂ may bereadily disguised in accordance with a first example of the presentinvention designated as disguise procedure DP1. Matrices M₁ and M₂ arethe actual arguments AA to be outsourced. For DP1, the Kronecker deltafunction, δ_(xy) is utilized which equals 1 if x=y, and 0 if x≠y.Subsystem 30 performs the following stages a.-c. to prepare disguisedarguments DA in accordance with DP1:

[0122] a. creates (i) three random permutations π1, π2, and π3 of theintegers {1,2, . . . ,n}, and (ii) three sets of non-zero random numbers{α₁, α₂, . . . , α_(n)}, {β₁, β₂, . . . , β_(n)}, and {γ_(I), γ₂, . . ., γ_(n)};

[0123] b. creates matrices P₁, P₂, and P₃ where P₁(i,j)=α_(i)δ_(π1(i)j),P₂(i,j)=β_(i)δ_(π2(i)j), and P₃(i,j)=γ_(i)δ_(π3(i)j) (these matrices arereadily invertible, e.g., P₁ ⁻¹=(α_(j))⁻¹δ_(π1) ⁻¹ _((i)j)); and

[0124] c. computes the matrix X=P₁M₁P₂ ⁻¹ (such thatX_((i,j))=(α_(i)/β_(j))M₁(π₁(i),π2(j))), and Y=P₂M₂P₃ ⁻¹.

[0125] Matrices X and Y define the disguised arguments DA for DP1.Subsystem 30 sends the matrices X and Y to computing center 50.Computing center 50 determines the product Z=XY=(P₁M₁P₂ ⁻¹)(P₂M₂P₃⁻¹)=P₁M₁M₂P₃ ⁻¹ and sends matrix Z back to subsystem 30. Matrix Z is thedisguised result DR for DP 1.

[0126] Subsystem 30 computes locally, in O(n²) time, the matrix P₁⁻¹ZP₃, which equals M₁M₂, the actual answer SA; where the function O(n²)represents processing time on the order of and proportional to n². Itshould be appreciated that the outsourced computation by computingcenter 50 for DP1 requires processing time proportional to n³ asrepresented by O(n³).

EXAMPLE TWO

[0127] At the expense of more complex disguise preparation by subsystem30, a greater degree of security may be provided in a second matrixmultiplication example designated as disguise procedure DP2. For DP2,subsystem 30 performs the following stages a.-c

[0128] a. compute matrices X=P₁M₁P₂ ⁻¹ and Y=P₂M₂P₃ ⁻¹ in accordancewith disguise procedure DP1;

[0129] b. select two random n×n matrices S₁ and S₂ and generate fourrandom numbers β, γ, β′, γ′ such that (β+γ)(β′+γ′)(γ′β−γβ′)≠0; and

[0130] c. compute the six matrices X+S₁, Y+S₂, βX−γS₁, βY−γS₂, β′X−γ′S₁,β′Y−γ′S₂.

[0131] The following three matrix multiplications are then outsourced bysubsystem 30 to computing center 50:

W=(X+S ₁)(Y+S ₂);   (a)

U=(βX−γS ₁)(βY−γS ₂); and   (b)

U′=(β′X−γ′S ₁)(β′Y−γ′S ₂)   (c)

[0132] The results are returned by computing center 50 to subsystem 30.Subsystem 30 then locally computes matrices V and V′; where

V=(β+γ)⁻¹(U+βγW), and

V′=(β′+γ′) ⁻¹(U′+β′γ′W)

[0133] It will be appreciated by those of skill in the art that:

V=βXY+γS ₁ S ₂, and

V′=β′XY+γ′S ₁ S ₂

[0134] Subsystem 30 outsources the computation: (γ′β−γβ′)⁻¹(γ′V−γV′) asthe disguised arguments DA which equal the product XY. Computing center50 returns the remotely computed matrix product XY (the disguised resultDR); and subsystem 30 computes M₁M₂ from XY according to: P₁ ⁻¹XYP₃=P₁⁻¹(P₁M₁P₂ ⁻¹)(P₂M₂P₃ ⁻¹)P₃=M₁M₂.

EXAMPLE THREE

[0135] Disguise procedure DP3 as follows provides a third example of adisguised outsourced matrix multiplication. DP3 utilizes DP2 and furtherimposes control on the length of random number sequences generated toprovide a more robust random number generator disguise. For DP3,subsystem 30 defines L as the maximum length for a sequence from arandom number generator so that M=[m/L] is the number of distinct randomnumber generators 232 needed.

[0136] Let G(A(i)), i=1,2 . . . ,M be one-time random number generators.Each random generator has a vector A(i) of 12 parameters/seeds.Correspondingly, non-zero vectors are provided for the three matricesP₁, P₂, P₃ used to disguise M₁ and M₂. Computing center 50 receivesX=P₁M₁P₂ ⁻¹ and Y=P₂M₂P₃ ⁻¹ for the outsourced multiplication andreturns matrix Z to subsystem 30. This approach further hampers theability to successfully impose a statistical attack. Further, as long ascomputing center 50 is without information about M₁ and M₂, it appears astatistical attack is the only type of attack available.

EXAMPLE FOUR

[0137] In a fourth example, disguise procedure DP4 for themultiplication of non-square matrices is utilized; where M₁ is k×m andM₂ is m×n, and hence: M₁M₂ is k×n. For DP4, any of the procedures DP 1,DP2, DP3 may be utilized with the sizes of the P_(i) and S_(i) matricesbeing selected accordingly. For matrices S_(i) of DP2 or DP3, S₁ is ofk×m dimension and S₂ is of m×n dimension, because each of S₁ and S₂ isadded to matrices having such dimensions. For the matrices P_(i) itshould be appreciated that P_(i) is constrained to be: (i) square sothat it may be inverted, (ii) sized to be compatible with the number ofrows of the matrices that it (or its inverse) left-multiplies, and (iii)sized to be compatible with the number of columns of the matrices thatit (or its inverse) right-multiplies. For example, as P₂ is used forleft-multiplying M₂, and M₂ has m rows, P₂ should be m×m. The constraintthat P₂ ⁻¹ right-multiplies M₁ is compatible with the previous one,because M₁ has m columns.

EXAMPLE FIVE

[0138] In a fifth example, dimension hiding is included for anoutsourced matrix multiplication as disguise procedure DP5. For DP5,subsystem 30 defines M₁ with dimension a×b matrix and M₂ with dimensionb×c matrix. Two or more matrix multiplications using one of thepreviously described matrix multiplication procedures DP1-DP4 areperformed instead of just one. These substitute multiplications areperformed with matrices having dimensions a′, b′, c′ that are differentfrom a, b, c. Hiding the dimensions can be done by either enlarging orshrinking one (or a combination of) the relevant dimensions. A dimensiona is “enlarged” if a′>a, and “shrunk” if a′<a (similarly for b, b′, c,and c′). Although for convenience enlargement and shrinking aredescribed separately, it should be understood that these operationsalternatively can be done in combination.

[0139] Enlarging a (so that it becomes a′>a) is performed by subsystem30 by appending a′−a additional rows, having random entries, to matrixM₁. As a result, product M₁M₂ has a′−a additional rows that may beignored. Enlarging c (so that c′>c) is performed by subsystem 30 byappending c′−c additional columns, having random entries, to matrix M₂,causing the resulting product of M₁M₂ to have c′−c additional columnsthat may be ignored.

[0140] Alternatively or additionally, subsystem 30 may enlarge vector bby appending b′−b extra columns to the first matrix and b′−b extra rowsto the second matrix. It should be appreciated that these additionalrows and columns cannot have completely random entries because they mayinteract to corrupt the outsourced calculation result. Accordingly, toavoid any corruption, subsystem 30 preserves the dimensions of theresulting product matrix M₁M₂ by: (a) numbering the b′−b extra columns1,2, . . . ,b′−b, and similarly numbering the extra rows 1,2, . . .,b′−b; (b) selecting the entries of the odd-numbered extra columns androws to be random and zero, respectively; and (c) selecting the entriesof the even-numbered extra columns and rows to be zero and random,respectively. These operations assure that enlarging b does not cause achange in the matrix product M₁M₂. For embodiments that enlarge b inconjunction with enlargements of a and/or c, the enlargement of b ispreferably performed first.

[0141] Dimensional shrinking of a may be performed as part of DP5 withsubsystem 30 by partitioning the first matrix Ml into two matrices: M₁′having the first a′−a rows and M₁″ having the last a′ columns. Matrix M₂stays the same, but to get the a×c matrix, both products M₁′M₂ and M₁″M₂are outsourced. Dimensional shrinking of c is performed by partitioningthe second matrix M₂ into two matrices: M₂′ having the first c′−ccolumns and M₂″ having the last c′ columns. Matrix M₁ stays the same,but to get the a×c matrix, both products M₁M₂′ and M₁M₂′ are outsourced.

[0142] Additionally or alternatively, DP5 may include dimensionalshrinking of b. Subsystem 30 shrinks b by partitioning both matrices M₁,M₂ into two matrices. Matrix M₁ is partitioned into matrix M₁′ havingthe first b−b′ columns and matrix M₁″ having the last b′ columns. MatrixM₂ is partitioned into matrix M₂′ having the first b−b′ rows and matrixM₂″ having the last b′ rows. The a×c product matrix sought is thenM₁′M₂′+M₁″M₂″.

[0143] DP5 also optionally includes performing the three above shrinkingoperations together. This option results in a partition of each ofmatrices M₁, and M₂ into four matrices.

[0144] Using, for example, the notation M₁([i:j], [k:n]) for thesubmatrix of M₁ whose rows are in the interval [i:j] and whose columnsare in the interval [k:n], then computing M₁M₂ requires the followingfour computations (a)-(d):

M₁([1:a−a′],[1:b−b′])M₂([1:b−b′],[1:c−c′])+M₁([1:a−a′],[b−b′+1:b])M₂([(b−b′+1:b],[1:c−c′]);  (a)

M₁([1:a−a′],[1:b−b′])M₂([1:b−b′],[c−c′+1:c])+M₁([1:a−a′],[b−b′+:b])M₂([b−b′+1:b],[c−c′+1:c]);  (b)

M₁([a−a′+1:a],[1:b−b′])M₂([1:b−b′],[1:c−c′])+M₁([a−a′+1:a],[b−b′+1:b])M₂([b−b′+1:b],[1:c−c′]);and  (c)

M₁([a−a′+1:a],[1:b−b′])M₂([1:b−b′],[c−c′+1:c])+M₁([a−a′+1:a],[b−b′+1:b])M₂([b−b′+1b],[c−c′+1:c]).

EXAMPLE SIX

[0145] In a sixth example, a secure matrix inversion disguise procedureDP6 is provided for matrix M; where the entries of matrix M are theactual arguments AA. For DP6, the following stages a.-j. are performed:

[0146] a. Subsystem 30 selects a random n×n matrix S.

[0147] b. Subsystem 30 securely outsources the matrix computation Ĉ=MSby executing one of the previously described procedures DP1-3 or DP5 asa subroutine of DP6.

[0148] c. Subsystem 30 generates matrices P₁, P₂, P₃, P₄, P₅ using thesame method as for the P₁ matrix of DP1. That is,P₁(i,j)=a_(i)δ_(π1(i),j; P)₂(i,j)=b_(i)δ_(π2(i),j);=P₃(i,j,)=c_(i)δ_(π3(i),j);P₄(ij)=d_(i)δ_(π4(i),j); and P₅(i,j)=e_(i)δ_(π5(i),j); where π1, π2, π3,π4, π5 are random permutations, and where a_(i), b_(i), c_(i), d_(i),e_(i) are random numbers.

[0149] d. Subsystem 30 computes the matrices: Q=P₁ĈP₂ ⁻¹=P₁MSP₂ ⁻¹ andR=P₃SP₄ ⁻¹.

[0150] e. Subsystem 30 outsources the computation of Q⁻¹ to computingcenter 50.

[0151] f. If computing center 50 succeeds in determining Q⁻¹, it returnsQ⁻¹ to subsystem 30; otherwise computing center 50 to subsystem 30 thatindicates Q is not invertible. If this indication is received bysubsystem 30, it tests whether:

[0152] (i) S is invertible by first computing Ŝ=S₁SS₂, where S₁ and S₂are matrices known to be invertible, and outsources matrix S tocomputing center 50 for inverting. It should be understood that the onlyinterest is whether Ŝ is invertible or not, not in its actual inverse.The fact that S is discarded makes the choice of S₁ and S₂ less crucial;

[0153] however, choosing S₁ and S₂ to be the identity matrices may notbe desirable because it may make it easier to learn how the randommatrices are generated.

[0154] (ii) If computing center 50 can invert Ŝ, then S is invertible,and hence M is not invertible. If the computing center 50 indicates Ŝ isnot invertible, then S is not invertible. In that case, operations(a)-(f) of DP6 are repeated with a different S.

[0155] g. If Q is invertible, then, in accordance with the observationthat Q⁻¹=P₂S⁻¹M⁻¹P₁ ⁻¹, subsystem 30 computes the matrix T=P₄P₂⁻¹Q⁻¹P₁P₅ ⁻¹ which is equal to P₄S⁻¹M⁻¹P₅ ⁻¹.

[0156] h. Subsystem 30 outsources the computation of Z=RT to computingcenter 50 which serve as disguised arguments DA. One of DP1-DP3 or DP5may be utilized as a subroutine for this operation.

[0157] i. Computing center 50 returns Z, the disguised result DR, tosubsystem 30.

[0158] j. Observing that Z=P₃SP₄ ⁻¹P₄S⁻¹M⁻P₅ ⁻¹=P₃M⁻¹P₅ ⁻¹, subsystem 30computes P₃ ⁻¹ZP₅, which equals M⁻¹, the actual answer SA.

EXAMPLE SEVEN

[0159] In a seventh example, dimensional hiding is incorporated intosecure matrix inversion in disguise procedure DP7. For DP7, hidingdimension n for matrix inversion may be achieved by: (a) using thedimension-hiding version of matrix multiplication described inconnection with procedure DP5, and (b) modifying stage “f.” of DP6 toperform the inversion of Q by inverting a small number of n′×n′ matriceswhere n′ differs from n. Otherwise DP7 is performed the same as DP6. DP7provides an option of enlarging the dimension of Q, (i.e., n′>n) forwhich stage “f” of DP6 is modified to invert one n′×n′ matrix Q′ definedas follows; where the matrices O′, O″ are of n×(n′−n) and (n′−n)×ndimension, respectively, and all of whose entries are zero, and S′ is an(n′−n)×(n′−n) random invertible matrix:

Q′([1:n],[1:n])=Q;

Q′([1:n],[n+1:n])=O′;

Q′([n+1:n′],[1:n])=O″; and

Q′([n+1:n′],[n+1:n′])=S′.

[0160] It should be understood that the inversion of Q′ is not performedby sending it directly to computing center 50, as the zeros in it mayreveal n. Rather, the inversion of Q is performed in accordance withDP6.

[0161] Dimension shrinking may optionally be included in DP7 based onthe premise that if X=Q([1:m],[1:m])is invertible (m<n),Y=Q([m+1:n],[m+1:n]); V=Q([1:m],[m+1:n]); W=Q([m+1:n], [1:m]); andD=Y−WX⁻¹V is invertible, then:

Q ⁻¹([1:m],[1:m])=X ⁻¹ +X ⁻¹ VD ⁻¹ WX ⁻¹;

Q ⁻¹([1:m],[m+1:n])=−X ⁻¹ VD ⁻¹;

Q ⁻¹([m+1:n],[1:m])=−D⁻¹ WX ⁻¹; and

Q ⁻¹([m+:n],[m+1:n])=D ¹.

[0162] Correspondingly, for DP7, Q is partitioned into four matrices X,Y, V, W. One of the secure matrix multiplication techniques DP1 -DP3 orDP5 and the secure matrix inversion of procedure DP6 are utilized todetermine the four pieces of Q⁻¹.

EXAMPLE EIGHT

[0163] In an eighth example of the present invention, secure outsourcingof a linear system of equations is provided as disguise procedure DP8.For a linear system of equations, the actual arguments may berepresented in the form Mx=b; where M is a square n×n matrix, b is avector of dimension n, and x is a vector of n unknowns. For DP8, thefollowing stages a.-e. are performed:

[0164] a. Subsystem 30 selects a random n×n matrix B and a random numberjε{1,2, . . . ,n} and replaces the j^(th) row of B by b such that:B=[B₁, . . . B¹⁻¹, b, B_(j+1), . . . , B_(n)].

[0165] b. Subsystem 30 generates matrices P₁, P₂, P₃ using the samemethod as for the P₁ matrix in DPI, such that P₁(i,j)=a_(i)δ_(π1(i),j);P₂(i,j)=b_(i)δ_(π2(i),j); P₃(i,j)=c_(i)δπ3(i)j; where π1, π2, π3 arerandom permutations, and where a_(i), b_(i), c_(i), are random numbers.

[0166] c. Subsystem 30 computes the matrices Ĉ=P₁MP₂ ⁻¹ and G=P₁BP₃ ⁻¹.

[0167] d. Subsystem 30 outsources the solution of the linear system Ĉx=Ĝto computing center 50. If Ĉ is singular then computing center 50returns a message with this indication; otherwise center 50 returns:Û=Ĉ⁻¹Ĝ.

[0168] e. Subsystem 30 computes X=P₂ ⁻¹ÛP3 which equals M⁻¹B, because:

[0169] P₂ ⁻¹ÛP₃=P₂ ⁻¹Ĉ⁻¹ĜP₃=P₂ ⁻¹P₂M⁻¹P₁ ⁻¹P₁BP₃ ⁻¹P₃=M⁻¹B; where theanswer x (actual answer SA) is the j^(th) column of X, i.e., x =X_(j).

EXAMPLE NINE

[0170] In a ninth example, dimensional hiding of a linear system ofequations is provided by disguise procedure DP9. For DP9, dimension n ofthe linear system of equations is hidden by embedding the problem Mx=binto a larger problem M′x′=b′ of the size n′>n. In what follows, if X isan r×c matrix and Y is an r′×c′(r<r′), the notation “Y=X(*,[1:c])” meansthat Y consists of as many copies of X as needed to fill the r′ rows ofY. It should be appreciated that the last copy could be partial, if rdoes not divide r′. For example, if r′=2.5r then the notation would meanthat:

Y([1:r],[1:c])=Y([r+1:2r],[1:c])=X; and

Y([2r+:2.5r], [1:c])=X([1:0.5r], [1:c]).

[0171] The larger problem M′x′=b′ of size n′>n is defined as follows.The matrix M′ and vector b′ are defined as follows, where the matricesO′ and O″ are of dimension n×(n′−n) and (n′−n)×n, respectively, all ofwhose entries are zero; S′ is an (n′−n)×(n′−n) random invertible matrix,and y is a random vector of length (n′−n):

M′([1n],[1:n])=M;

M′([1:n],[n+1:n′])=O′;

M′([n+1:n′],[1:n])=O″;

M′([n+1:n′],[n+1:n])=S′;

b′([1:n])=b; and

b′([n+1:n′])=S′y.

[0172] Then the solution x′ to the system M′x′=b′ is x′([1:n])=x andx′([n+1, n′])=y. Note that the zero entries of O′ and O″ do not betray nbecause these zeroes are hidden when Ĉ=P₁MP₂ ⁻¹ is computed. As analternative, matrices O′ and O″ need not have zeroes if:

[0173] a. O′ is a random matrix (rather than a matrix of zeros);

[0174] b. O″=M(*, [1:n]);

[0175] c. S′=O′(*, [n+1:n]); and

[0176] d. b′=(b+O′y)(*).

[0177] If the selection of random values for y and matrix O′ result in anoninvertible M′, then the corresponding operations are repeated untilan invertible M′ results. The probability that M′ is non-invertible islow. For an invertible M′, the solutions x′ to the system M′x′=b′remains x′([1:n])=x and x′([n+1, n])=y, because Mx+O′y=b′([1:n])=b+O′y,and hence Mx=b.

EXAMPLE TEN

[0178] A tenth example is provided as disguise procedure DP10 for asecure quadrature computation to be outsourced. For DP10, the objectiveis to provide an estimate corresponding to the following expression(27): $\begin{matrix}{\int_{a}^{b}{{f(x)}{x}}} & (27)\end{matrix}$

[0179] with accuracy designated as “eps”. Expression (27) corresponds tothe actual arguments AA to be disguised by DP10. DP10 proceeds inaccordance with stages a.-e. as follows:

[0180] a. Subsystem 30 chooses x₁=a; x₇=b; 5 ordered, random numbers x₁in [a,b]; and 7 values v_(i) with a range defined such thatmin|f(x)|≈M₁≦M₂≈max|f(x)|; where Ml and M₂ are estimations and theoperators min|f(x)| and max|f(x)| return the minimum and maximum valueof f(x), respectively.

[0181] b. Subsystem 30 creates a cubic spline g(x) with breakpointsx_(i); such that g(x_(i))=v_(i).

[0182] c. Subsystem 30 integrates g(x) from a to b to obtain I₁ andsends g(x)+f(x) (the disguised arguments DA) and eps to computing center50 for numerical quadrature.

[0183] d. Computing center 50 returns I₂ (the disguised result DR) tosubsystem 30.

[0184] e. Subsystem 30 computes I₂-I₁ which is the actual answer SA.

EXAMPLE ELEVEN

[0185] In an eleventh example, a disguise procedure DP11 for quadraturecomputations is provided that is more robust with respect to anapproximation theoretic attack. DP11 modifies DP10 to add a seconddisguise function. Specifically, to assure that f(x) has a smoothnesscharacteristic comparable to g(x). Further security enhancements mayoptionally be incorporated by using reverse communication as describedin J. R. Rice, Numerical Methods, Software and Analysis, 2d ed.,Academic Press (1993), which is hereby incorporated by reference in itsentirety, or by replacing f(x) with a high accuracy approximation aspreviously discussed in connection with random function determinations.

EXAMPLE TWELVE

[0186] In a twelfth example, disguise procedure DP12 provides for secureoutsourcing of a convolution computation of two vectors M₁ and M₂ ofsize n, indexed from 0 to n-1 (the actual arguments AA). It should beappreciated that the convolution M, of M₁ and M₂, is a new vector of thesize 2n -1, denoted by:

[0187] M=M₁

M₂, such that expression (28) follows: $\begin{matrix}{{M(i)} = {\sum\limits_{k = 0}^{\min {({i,{n - 1}})}}{{M_{1}(k)}{{M_{2}\left( {i - k} \right)}.}}}} & (28)\end{matrix}$

[0188] DP12 includes the following stages a.-f.:

[0189] a. Subsystem 30 randomly selects vectors S¹, S₂, of size n andfive positive numbers α, β, γ, β′, γ′ such that:(β+αγ)(β′+αγ′)(γ′β−γβ′)≠0.

[0190] b. Subsystem 30 computes six vectors: αM₁+S₁, αM₂ +S₂, αM₁−γS₁,βM₂−γS₂, β′M₁−γ′S₁, β′M₂−γ′S₂.

[0191] c. Subsystem 30 outsources to computing center 50 the threeconvolutions defined by expressions (29)-(31) that follow:

W=(αM ₁ +S ₁)

(αM ₂ +S ₂);  (29)

U=(βM₁ −γS ₁)

(βM₂ −γS ₂); and  (30)

U′=(β′M ₁ −γ′S ₁)

(β′M ₂ −γ′S ₂).  (31)

[0192] d. Computing center 50 returns W, U, and U′ to subsystem 30 asthe disguised results DR.

[0193] e. Subsystem 30 computes the vectors according to expressions(32) and (33) as follows:

V=(β+αγ)⁻¹(αU+βγW)  (32)

V′=(β′+αγ′)⁻¹(αU′+β′γ′W)  (33)

[0194] where it may be observed that

V=αβM ₁

M ₂ +γS ₁

S ₂, and

V′=αβ′M ₁

M ₂ +γ′S ₁

S ₂

[0195] f. Subsystem 30 computes α⁻¹(γ′β−γβ′)⁻¹(γ′V−γV′), which equalsthe actual answer SA, M₁

M₂.

[0196] Further, security of an outsourced convolution computation may beenhanced by hiding the dimension. The dimension may be expanded for aconvolution computation by “padding” the two input vectors with zeroes.The zeroes do not betray the value of n because they are hidden throughthe addition of random numbers. Alternatively or additionally, thedimension may be hidden by shrinking the problem size with twooperations: (a) replacing the convolution size n by three convolutionsof size n/2 each, and then (b) recursively hiding (by shrinking orexpanding) the sizes of these three convolutions with a recursion depthof O(1).

EXAMPLE THIRTEEN

[0197] In a thirteenth example, disguise procedure DP13 provides forsecure outsourcing of the solution to a differential equation defined asa two point boundary value problem in expressions (34)-(36) that follow:

y″+a ₁(x)y′+a ₂(x)y=f(x,y);  (34)

y(a)=y ₀; and  (35)

y(b)=y ₁.  (36)

[0198] The differential equation of expression (34) and the boundaryconditions of expressions (35) and (36) are the actual arguments SA forDP13. DP13 proceeds in accordance with stages a.-d. as follows:

[0199] a. Subsystem 30 selects a cubic spline g(x) and creates thefunction of expression (37) that follows:

u(x)=g″+a ₁(x)g′+a ₂(x)g.  (37)

[0200] b. Subsystem 30 sends the problem defined by the followingexpressions (38)-(40) as disguised arguments DA to computing center 50for solution:

y″+a ₁(x)y′+a ₂(x)y=f(x,y)+u(x);  (38)

y(a)=y ₀ +u(a); and  (39)

y(b)=y ₁ +u(b).  (40)

[0201] c. Computing center 50 solves the problem corresponding toexpressions (38)-(40) and returns z(x), the disguised result DR, tosubsystem 30.

[0202] d. Subsystem 30 computes the actual answer, z(x)−g(x).

EXAMPLE FOURTEEN

[0203] The outsourcing of computations may involve the transmission of asubstantial amount of symbolic input, either pure mathematicalexpressions or high level programming language (Fortran, C, etc.) code.Such code can compromise security if provided without a disguise duringoutsourcing. Disguise procedure DP14 of this fourteenth exampledescribes various techniques to disguise symbolic information and toaddress security risks posed by “symbolic code analysis” attacks.Various operations that may be alternatively or collectively performedin accordance with DP 14 include:

[0204] (a) reducing or eliminating all name information in the code,including the deletion of all comments and/or removal of all informationfrom variable names;

[0205] (b) utilizing approximations of basic mathematical functions,such as sine, cosine, tangent, cotangent, logarithm, absolute value,exponentiation, to reduce the likelihood such functions can be readilyidentified by code inspection (techniques may include, for example, onetime elementary function approximations for these functions using acombination of a few random parameters along with best piecewisepolynomial, variable breakpoint approximations);

[0206] (c) applying symbolic transformations such as changes ofcoordinates, changes of basis functions or representations, and use ofidentities and expansions of unity; and/or

[0207] (d) utilizing reverse communication to avoid passing source codefor numerical computations to agent A and to hide parts of the originalcomputation.

[0208] In one instance of reverse communication according to thisexample, it may be desirable to avoid passing the code for the functionu(x) to computing center 50; however, computing center 50 may beselected to do computations to provide x before u(x) needs to bedetermined, and further computing center 50 may selected to performcomputations involving u(x) after u(x) is made available. Accordingly,subsystem 30 receives x from computing center 50, evaluates u(x), andreturns u(x) to computing center 50 for further processing in accordancewith this reverse communication embodiment.

[0209] In one instance of symbolic transformation according to thisexample, the readily recognizable differential equation given byexpression (41) as follows:

y″+x*cos(x)y″+(x ² +log(x))y=1+x ²  (41)

[0210] is disguised by applying the following symbolic transformationsdefined by expressions (42)-(47) that follow:

cos² x−sin² y=cos(x+y)cos(x−y);  (42)

sec ²(x+y)−tan²(x+y)=1;  (43)

(tan x+tan y)/tan(x+y)+tan x tan y=1;  (44)

1+x=(1−x ²)/(x−x);  (45)

sin(3(x+y))=3 sin(x+y)−4 sin³(x+y); and  (46)

a ² −ax+x ²=(a ³ +x ³)/(a+x).  (47)

[0211] By rearranging and renaming, a more complicated result may beobtained as represented by expression (48); where the Greek letters arevarious constants that have been generated:

(β cos² x−δ)y″+x[cos x/(γ cos(x+1))−cos x sin(x+1)tan(x+1)]*[ε−sin² x+εsin(x+1)−sin² x sin(x+1)]y′+[β(x cos x)²−η(x+logx)+θ cos xlog(x ²)]*[ηsin x+δ tan x+(χ sin x+μ cos x+v)/tan(x+2)]y=(1+x ²)[sin x+η cosx]  (48)

[0212] Moreover, by further renaming and implementation of someelementary functions, including the replacement of the variable names bythe order in which the variables appear, expression (48) becomesexpression (49) as follows:

y″[x01* x02(x)−x03]+y′[x04*x/(x05 cos(x+1)+cosx*x06(x)tan(x+1)]*[x07−sin² x−x08(x)sin² +x07sin²(x+1)]+y[x01*(x*x9(x))² −x10(x+logx)+x11 cos xlogx ²]*[x12*x13(x)+x14 tan x+x15 sin x+x16 cos x+x17)]=sin x+x18*(1+x²)*x09(x)+x19(x)+x10*x ² cos x

EXAMPLE FIFTEEN

[0213] In example fifteen, disguise procedure DP15 is applied to enhancesecurity of an outsourced computation for detecting edges of an imagerepresented by an n×n array of pixel values p(x,y) between 0 and 100,000on the square 0≦x,y≦1. DP15 includes the following stages a.-f.:

[0214] a. Subsystem 30 sets x₁,y₁=0, x₁₀,y₁₀=1, and selects:

[0215] 1. two sets of 8 ordered, random numbers with 0<x_(i),y_(i)<1;

[0216] 2. 100 random values 0≦v_(ij)≦50,000; and,

[0217] 3. 4 pairs (a_(i),b_(i)) of positive, random numbers witha₁=min(a_(i)), a₄=max(a_(i)), b₁=min(b_(i)), b₄=max(b_(i)).

[0218] b. Subsystem 30 establishes the bi-cubic spline s(x,y) so thats(x_(i),y_(i))=v_(ij)

[0219] c. Subsystem 30 determines the linear change of coordinates from(x,y) to (u,v) that maps the unit square into the rectangle withvertices (a_(i),b_(i)).

[0220] d. Subsystem 30 sends p(u(x,y), v(x,y))+s(u(x,y), v(x,y)) asdisguised arguments DA to computing center 50 to perform an edgedetection computation.

[0221] e. Computing center 50 generates the disguised result DR as animage e(u,v) showing the edges and returns e(u,v) to subsystem 30.

[0222] f. Subsystem 30 computes e(x(u,v), y(u,v)) to obtain actualanswer SA, the desired edges.

EXAMPLE SIXTEEN

[0223] For example sixteen, secure outsourcing of template matchingutilized for image analysis is provided by disguise procedure DP16. Foran N×N image I and a smaller n×n image object P (each of which comprisesan “image matrix”), consider the computation of an (N−n+1)×(N−n+1) scorematrix C_(I,P) of the form given by expression (50) as follows:$\begin{matrix}{{{{C_{I,P}\left( {i,j} \right)} = {\sum\limits_{k = 0}^{n - 1}{\sum\limits_{k^{\prime} = 0}^{n - 1}{f\left( {{I\left( {{i + k},{j + k^{\prime}}} \right)},{P\left( {k,k^{\prime}} \right)}} \right)}}}};}{{0 \leq i},{j \leq {N - n}}}} & (50)\end{matrix}$

[0224] for some function f(x,y). Score matrices may be used in imageanalysis, specifically in template matching, when one is trying todetermine whether (and where) an object occurs in an image. A smallC_(I,P)(i,j) indicates an approximate occurrence of the image object Pin the image I (a zero indicates an exact occurrence). Frequent choicesfor the function f(x,y) are f(x,y)=(x−y)² and f(x,y)=|x−y|.

[0225] When the function f(x,y)=(x−y)² is selected, DP16 proceeds withstages a.-e. as follows:

[0226] a. Subsystem 30 selects a random N×N matrix S1, and a random n×nmatrix S2; and generates five positive random numbers α, β, γ, β′, γ′such that (β+αγ)(β′+αγ′)(γ′β−γβ′)≠0.

[0227] b. Subsystem 30 computes six matrices: αI+S1, αP+S2, βI−γS1,βP−γS2, β′I−γ′S1, β′P−γ′S2, that serve as disguised arguments DA.

[0228] c. Subsystem 30 outsources the computation of three scorematrices C_(x,y) to computing center 50, where there is one score matrixfor each pair X,Y of the matrices received.

[0229] d. Computing center 50 calculates the matrices and returns themto subsystem 30 as defined by the following expressions (51)-(53):

W=C _((αI+S1),(αP+S2))  (51)

U=C _((βI−γS1),(βP−S2))  (52)

U′=C _((β′I−γ′S1),(β′P−γ′S2))  (53)

[0230] e. Subsystem 30 computes the matrices V and V′ from W, U, and U′(the disguised results DR) as returned by computing center 50. Thedetermination of matrices V and V′ are in accordance with expressions(54)-(55) as follows:

V=(β+αγ)⁻¹(αU+βγW); and  (54)

V′=(β′+αγ′)⁻¹(αU′+β′γ′W)  (55)

[0231] Subsystem 30 computes α⁻¹(γ′β−γβ′)⁻¹(γ′V−γV′) from V and V′ whichequals C_(I,P).

[0232] When the function f(x,y)=|x−y| is selected, DP 16 proceeds with atwo-dimensional version of the convolution disguise procedure, DP12;where B is defined as an alphabet, i.e., the set of symbols that appearin I or P; and for every symbol xεB, DP16 proceeds with the followingstages a.-h.:

[0233] a. Subsystem 30 replaces, in I, every symbol other than x by 0(every x in I stays the same); where I_(x) is designated as theresulting image.

[0234] b. Subsystem 30 replaces every symbol that is ≦x by 1 in P, andreplaces every other symbol by 0; where P_(x) is designated as theresulting image. P_(x) is augmented into an N×N matrix Π_(x) by paddingit with zeroes which serves a first group of the disguised arguments DA.

[0235] c. Subsystem 30 outsources the computation of the score matrixaccording to the following expression (56) to computing center 50:$\begin{matrix}\begin{matrix}{{{D_{x}\left( {i,j} \right)} = {\sum\limits_{k = 0}^{n - 1}{\sum\limits_{k^{\prime}}^{n - 1}{{I_{x}\left( {{i + k},{j + k^{\prime}}} \right)}{\Pi_{x}\left( {k,k^{\prime}} \right)}}}}};} & {{0 \leq i},{j \leq {N - n}}}\end{matrix} & (56)\end{matrix}$

[0236] Expression (56) is a form of 2-dimensional convolution that canbe outsourced using DP12.

[0237] d. Subsystem 30 replaces, in P, every symbol other than x by 0(every x in P stays the same); where P′_(x) is designated as theresulting image. P′_(x) is augmented into an N×N matrix Π′_(x) bypadding it with zeroes which serves as second group of the disguisedarguments DA.

[0238] e. Subsystem 30 replaces every symbol that is <x by 1 in I, andevery other symbol by 0; where I′_(x) is designated the resulting image.

[0239] f. Subsystem 30 outsources the computation of the score matrixaccording to the following expression (57) to computing center 50:$\begin{matrix}\begin{matrix}{{{D_{x}^{\prime}\left( {i,j} \right)} = {\sum\limits_{k = 0}^{n - 1}{\sum\limits_{k^{\prime}}^{n - 1}{{I_{x}^{\prime}\left( {{i + k},{j + k^{\prime}}} \right)}{\Pi_{x}\left( {k,k^{\prime}} \right)}}}}};} & {{0 \leq i},{j \leq {N - n}}}\end{matrix} & (57)\end{matrix}$

[0240] Expression (57) is a form of 2-dimensional convolution that canbe outsourced using DP12.

[0241] g. Computing center 50 returns the computations corresponding toexpressions (56) and (57) (the disguised results DR) to subsystem 30.

[0242] h. Subsystem 30 computes the actual answer SA in accordance withexpression (58) as follows: $\begin{matrix}{C_{I,P} = {\sum\limits_{x \in B}\left( {D_{x} + D_{x}^{\prime}} \right)}} & (58)\end{matrix}$

EXAMPLE SEVENTEEN

[0243] In example seventeen, a secure outsourcing technique for sortinga sequence of numbers E={e₁, . . . , e_(n)} is provided as disguiseprocedure DP17. DP17 proceeds with stages a.-f. as follows:

[0244] a. Subsystem 30 selects a strictly increasing function f: E→

, such as f(x)=α+β(x+y)³; where β>0. For this function f(x), subsystem30 selects α, β, and γ in accordance with β>0.

[0245] b. Subsystem 30 generates a random sorted sequence Λ={λ₁, . . . ,λ_(k)} of k numbers by randomly “walking” on the real line from MIN toMAX where MIN is smaller than the smallest number in E and MAX is largerthan the largest number in E. Letting Δ=(MAX−MIN)/n, the random walkingis implemented by subsystem 30 as follows: (i) randomly generate λ₁ froma uniform distribution in [MIN, MIN+2Δ]; (ii) randomly generate λ₂ froma uniform distribution in [λ₁, λ₁+2Δ]; and continue in the same wayuntil MAX is exceeded, which provides a total number of elements k. Itmay be observed that Λ is sorted by the construction such that theexpected value for the increment is Δ. Correspondingly, the expectedvalue for k is given by:

(MAX−MIN)/Δ=n.

[0246] c. Subsystem 30 computes the sequences E′=f(E) and Λ′=f(A); wheref(E) is the sequence obtained from E by replacing every element e_(i) byf(ei), and concatenates the sequence Λ′ to E′, obtaining W=E′∪Δ′.

[0247] d. Subsystem 30 randomly permutes W, the disguised arguments DA,before outsourcing to computing center 50.

[0248] e. Computing center 50 returns the disguised arguments DA assorted result W′.

[0249] f. Subsystem 30 removes A′ from W′ to produce the sorted sequenceE′ and computes E=f¹(E′), the actual answer SA.

[0250] The value n may be revealed by this approach, because the numberof items sent to the agent has expected value 2n. To provide greatersecurity, n may be modified by letting Δ=(MAX−MIN)/m where m is a numberindependent of n. Therefore the size of the outsourced sequence is m+n,which hides the size of problem through expansion.

EXAMPLE EIGHTEEN

[0251] In example 18, secure outsourcing of a text string patternmatching computation is provided by disguise procedure DP18. For DP18, Tis a text string of length N, P is a pattern of length n (n≦N), and bothare over alphabet A. DP18 is based on establishing a score vectorC_(T,P) such that C_(T,P)(i) is the number of positions at which thesymbols of pattern P equal their corresponding symbols of text string Twhen the pattern P is positioned under the substring of T that begins atposition i of T, such that it is in accordance with the followingexpression (59): $\begin{matrix}{{\sum\limits_{k = 0}^{n - 1}{\delta \quad {T\left( {k + i} \right)}}},{P(i)}} & (59)\end{matrix}$

[0252] where δ_(x,y)=1 if x=y, and δ_(x,y)=0 otherwise.

[0253] DP18 performs the following stages a.-d. for every symbol NεB:

[0254] a. Subsystem 30 replaces, in both T and P, every symbol otherthan x by 0, and every x by 1; and lets T_(x) and P_(x) be the resultingtext and pattern, respectively. P_(x) is augmented into a length Nstring Π_(x), by padding it with zeros.

[0255] b. Subsystem 30 outsources to computing center 50 the computationof expression (60) as follows: $\begin{matrix}\begin{matrix}{{{D_{x}(i)} = {\sum\limits_{k = 0}^{n - 1}{{I_{x}\left( {i + k} \right)}{\Pi_{x}(k)}}}},} & {0 \leq i \leq {N - n}}\end{matrix} & (60)\end{matrix}$

[0256] The terms of expression (60) (disguised arguments DA) define aform of convolution that may be securely outsourced using DP12.

[0257] c. Computing center 50 returns disguised result DR, theexpression (60) computation, to subsystem 30.

[0258] d. Subsystem 30 determines the actual answer SA, the score matrixC_(T,P) as $\sum\limits_{x \in B}D_{x}$

[0259] It should be appreciated that examples 1-18 and the disguiseprocedures disclosed herein as DP 1-DP18 are but a few of the forms ofthe embodiments of the present invention that may be utilized to providesecure outsourcing of one or more computations. Further, any of theexamples or the disguise procedures DP1-DP18 may be adapted for use inan embodiment of the present invention comprising mutually secureoutsourcing, wherein two or more parties contribute their private datainto a disguised common computation performed through the external agent(discussed in more detail hereinafter). Indeed, the stages, operationsand techniques of these examples and of disguise procedures DP1-DP18 maybe rearranged, combined, separated, deleted, altered, and added to otherstages, operations, or techniques as would occur to those skilled in theart.

[0260] Further, in one alternative embodiment of the present invention,a system dedicated to the performance of only a single type of disguiseprocedure is utilized. to In another alternative embodiment, differenttypes of outsourced computations may be accommodated by a singledisguise procedure or protocol. It should be appreciated thatclassification of the outsourced computation type for these alternativeembodiments is optional. Indeed, even when selection of a disguiseprocedure is based on outsourced computation type, computationclassification with one or more programs or computers is not neededwhere, for example, an operator selects an appropriate disguiseprocedure for a given outsourced computation. In still otherembodiments, classification may be partially operator-based or fullyperformed through the execution of one or more programs or routines.

[0261] Also, it should be appreciated that multiple agents A may beutilized to perform different parts of a given outsourced computation.Moreover, outsourced computation results may be received by a differentcomputer than the sending computer. For this example, the differentcomputers of customer C may exchange information desired to recoveractual answer SA. In still other embodiments, such as in embodimentscomprising mutually secure outsourcing, multiple sites or computers maybe utilized to prepare the disguised arguments DA and/or receive thedisguised result DR.

[0262] Also, while both disguised arguments DA and disguised result DRare preferred, in other embodiments, it may be acceptable to reveal atleast some of the actual arguments with only the result being disguisedor to receive the actual answer with only the arguments being disguised.Further, while the term “arguments” has been used in the plural, itshould be appreciated that the present invention includes embodimentsthat have only one argument. Correspondingly, while disguised result DRand actual answer SA have been used in the singular, it should beappreciated that the disguised result and/or actual answer may refer toa plurality. Yet another embodiment of the present invention includes:determining one or more arguments to be outsourced; disguising thearguments by performing a local computation with a first computer;sending the disguised arguments to a second computer to perform theoutsourced computation; and receiving a result of the outsourcedcomputation.

[0263] Still another embodiment of the present invention includes acomputer, an output device, and an input device. The computer isprogrammed to determine a group of disguised arguments from a set ofactual arguments. The disguised arguments hide one or morecharacteristics of the actual arguments. The disguised arguments areoutput by the output device for remote performance of the outsourcedcomputation. The input device receives the result of the outsourcedcomputation performed with the disguised arguments.

[0264] A further embodiment of the present invention includes operatinga first computer in accordance with one or more instructions to performan outsourced mathematical operation. The first computer having receiveda number of disguised arguments that hide a group of actual argumentsfor the outsourced mathematical operation. The outsourced mathematicaloperation is performed on the disguised arguments with the firstcomputer, and the result of the outsourced mathematical operation isoutput by the first computer.

[0265] In another embodiment, a system includes an input device toreceive a plurality of disguised arguments that hide at least onecharacteristic of each of a number of actual arguments. The system alsoincludes a computer responsive to the input device to perform anoutsourced computation with the disguised arguments and provide a resultof the outsourced computation. The system further comprises an outputdevice to output the result for conversion to an actual answercorresponding to the actual arguments.

[0266] Still a further embodiment includes a computer readable mediumthat defines computer programming instructions to hide a group of actualarguments for a computation to be outsourced. The instructions providefor the generation of a group of disguised arguments corresponding tothe actual arguments. The disguised arguments are generated to provide adisguised result when provided for the computation. An actual answer isrecoverable from the disguised result in accordance with theinstructions. The actual answer corresponds to the results returned bythe computation when the computation is provided the actual arguments.

Mutually Secure Outsourcing

[0267] In an embodiment of the present invention, a “mutually secureoutsourcing” system and method are provided. Mutually secure outsourcingrefers to situations where two or more parties contribute their privatedata into a disguised common computation performed through the externalagent. The contributing parties are to know the result but not eachother's private data (other than what they can infer from thecomputation's result), and the external agent should know neither theprivate data nor the result. The mutually secure outsourcing techniqueallows several different parties to contribute problem information to acomputation without revealing to anyone their part of the information.The computation may be carried out by yet another party to whom neitherthe information nor the computed solution is revealed.

[0268] This framework of this embodiment is similar to, yet differs insignificant ways from the traditional secure multi-party computationprotocols. Some significant differences are as follows:

[0269] (A) any superlinear computational burden preferably rests withthe outsourcing (external) computing agent. Preferably, the computationsperformed locally by the customers on their private data areillustratively proportional to the size of their local data. Thecustomers preferably do not keep data permanently with the outsourcingagent; instead, a customer only uses temporarily the agent's superiorcomputational resources;

[0270] (B) the computational burden on the external agent is preferablyO(T), where T is the time it would take that agent to solve the problemif it already had all of the data needed for the computation (instead ofthe data being scattered among the customers); and

[0271] (C) whereas in cryptographic multi-party protocols everyparticipant knows that “this is step i of run j of protocol X;” here theexternal agent preferably is told neither i nor j nor X. In fact, aneffort to obfuscate these is preferred, e.g., by interleaving thevarious steps/runs of multiple computations and/or by using more thanone external agent for the various steps of a single computation.

[0272] The security of the schemes does not depend on an assumption thatthe external agent is ignorant of the source code used by the customersfor creating a disguise. Rather, the security depends on the fact thatthe external agent does not know the customer's seeds of the generatorsfor the randomness, or other information which would enable the externalagent to unveil the disguised arguments.

[0273] Another embodiment of the present invention is shown in FIG. 5.Those elements referenced by numbers identical to FIGS. 1-4 perform thesame or similar function. In the FIG. 5 embodiment, two or morecustomers such as customers C1 and C2 desire to have another party suchas agent A make a computation based on information provided by customersC1 and C2. In FIG. 5, system 320 includes a first data gathering andprocessing subsystem 30, a second data gathering and processingsubsystem 330, and a computing center 50. Subsystem 30 and computingcenter 50 are illustratively identical to those discussed above withreference to FIG. 1. Subsystem 330 includes at least one computer 332.Computer 332 has a memory 334, at least one input (I/P) device 336, andat least one output (O/P) device 338. Memory 334 is similar to memory 34discussed above, and defines at least one computer readable medium thatis accessed by computer 332. Input device 336 and output device 338 aresimilar to the input device 36 and output device 38 discussed above.

[0274] Network 40 communicatively couples subsystem 330 with subsystem30 and computing center 50. Although system 320 is shown in FIG. 5 anddescribed herein in terms of two customers and one computing center, itis within the scope of the present invention that more than twocustomers can provide data and more than one computing center may beused to perform computations on the data.

[0275] Both customers C1 and C2 identify and collect data or informationillustratively referred to as actual arguments 222 to be used in anoutsourced computation. The actual arguments 222 are then classified anddisguised in operation 220 to produce disguised arguments 250 asdescribed above with reference to FIG. 3. These disguised arguments 250are then transmitted from customers C1 and C2 to computing center 50.Computing center 50 computes a disguised result 262 and transmits thedisguised result to customer C1 and/or customer C2 via the network 40 orportable computer readable medium 42. Customer C1 and customer C2 may,if so desired, exchange unveiling data in a secure fashion using network40 or portable computer readable medium 42. The unveiling data permitseach customer C1 and C2 to recover an actual answer 264 from thedisguised result 262 as illustratively discussed above. Therefore,customer C1 and customer C2 apply the unveiling data to the disguisedresult 262 revealing the actual answer 264 in a manner similar to themanner described above with reference to FIG. 4.

[0276] According to one embodiment of the present invention, twoparties, C1 and C2, have information, d1 and d2, respectively, and wantanother party, A, to make a computation to compute a result z. Thisembodiment can easily be extended to include more parties. The goals arethat C1 and C2 do not reveal the information d1 and d2 to anyone(including A), and that A does not learn the result z. According to thisembodiment, the procedure consists of one or more sequences of thefollowing steps:

[0277] 1. The type and basic parameters of the computation aredetermined.

[0278] 2. A mutually acceptable disguise procedure is chosen for thiscomputation by C1, C2, and/or A.

[0279] 3. C1 and C2 agree on a master key for the disguise procedure.

[0280] 4. C1 and C2 independently apply the disguise procedure to d1 andd2 to produce disguised information {circumflex over (d)}1 and{circumflex over (d)}2 and unveiling data v₁ and v₂

[0281] 5. C1 and C2 exchange the unveiling data in a secure fashion.

[0282] 6. {circumflex over (d)}1 and {circumflex over (d)}2 are sent toA, who computes disguised result {circumflex over (z)} and returnsdisguised result {circumflex over (z)} to C1 and C2.

[0283] 7. C1 and C2 apply the unveiling data v₁ and v₂ and reveal resultz.

[0284] As in ordinary outsourcing, it is preferred that it requires onlya reasonably small effort to disguise d1 and d2 and to unveil z, for thepurpose of computational efficiency. However, there also areapplications where security concerns out-weigh computational efficiencyconcerns.

[0285] Four illustrative examples of disguising and unveiling formutually secure outsourcing are provided herein: solution of linearsystems of equations, convolution, template matching in image analysis,and fingerprint matching. These examples are meant to be merelyrepresentative, it being understood that other forms and techniques fordisguising and unveiling for mutually secure outsourcing as would occurto those skilled in the art may alternatively or additionally beincluded.

Solution of Linear Systems of Equations

[0286] The mutual disguise procedure is illustrated in the simple caseof solving a linear system of n equations where customers C1 and C2 eachhave part of the information (equations and right side). It is desiredto obtain result z from the following problem: ${\begin{pmatrix}{M1} \\{M2}\end{pmatrix}z} = \begin{pmatrix}{b1} \\{b2}\end{pmatrix}$

[0287] where C1 has information comprising matrix M1 and vector b1, andC2 has information comprising matrix M2 and vector b2. Matrices M1 andM2 are of size N¹×n and N₂×n, respectively, where N₁+N₂=n. The lengthsof the vectors b1 and b2 are N₁ and N2, respectively. In an embodiment,the following sequence of steps may be employed:

[0288] 1. A master key is chosen as is a seed for generating randomnumbers.

[0289] 2. C1 and C2 agree on an index k and size K.

[0290] 3. (a) C 1 creates a new random matrix of order N₁×K and thencreates matrix B1 by substituting vector b1 as the k^(th) column of thisnew random matrix.

[0291] (b) C2 creates a new random matrix of order N₂×K and createsmatrix B2 by substituting vector b2 as the k^(th) column of this newrandom matrix.

[0292] 4. (a) C1 creates a random permutation vector π11 of length N₁and a random vector α1 of length N₁.

[0293] (b) C2 creates a random permutation vector π12 of length N₂ and arandom vector α2 of length N₂.

[0294] (c) C1 and C2 jointly create and share random permutation vectorsπ2 of length n and π3 of length K. They also create and share randomvectors β of length n and γ of length K.

[0295] 5. (a) C1 uses these to create the N₁×N₁ weighted permutationmatrix

P ¹¹(i,j)=α1(i) if π11(i)=j; =0 otherwise

[0296] (b) C2 uses these to create the N₂×N₂ weighted permutation matrix

P ₁₂(i,j)=α2(i) if α2(i)=j; =0 otherwise

[0297] (c) C1 and C2 both create the n×n weighted permutation matrix

P ₂(i,j)=β(i) if π2(i)=j; =0 otherwise

[0298] and the K×K weighted permutation matrix

[0299]P ₃(i,j)=γ(i) if π3(i)=j; =0 otherwise

[0300] 6. (a) C1 computes matrices {circumflex over (M)}1=P₁₁M1P₂ ⁻¹,and {circumflex over (B)}1=P₁₁B1P₃ ⁻¹.

[0301] (b) C2 computes matrices {circumflex over (M)}2=P₁₂M1P₂ ⁻¹, and{circumflex over (B)}2=P₁₂B1P₃ ⁻¹.

[0302] 7. The linear system of n equations ${\begin{pmatrix}{\hat{M}1} \\{\hat{M}2}\end{pmatrix}\begin{pmatrix}{\hat{z}1} \\{\hat{z}2}\end{pmatrix}} = \begin{pmatrix}{\hat{B}1} \\{\hat{B}2}\end{pmatrix}$

[0303] is outsourced to A for solution and the disguised result({circumflex over (z)}1, {circumflex over (z)}2) is returned by A to C1and C2.

[0304] 8. (a) C1 computes z1=P₂ ⁻¹{circumflex over (z)}1P₃.

[0305] (b) C2 computes z2=P₂ ⁻¹{circumflex over (z)}2P₃.

[0306] Note that the above requires O(n²) time in local computations bythe customers C1 and C2, which is the minimum possible since the probleminvolves O(n²) data. The outsourced computations, on the other hand,require O(n³) operations and their burden is borne by the outsourcingagent A.

[0307] The unveiling data used in step 8 above are the matrices P₂ andP₃. Note that if C1 and C2 do not need to know the entire solution({circumflex over (z)}1, {circumflex over (z)}2) then they can agreethat A returns only the respective part to each, i.e, {circumflex over(z)}1 to C1 and {circumflex over (z)}2 to C2. This does not assuresecurity, however. If P₁₁, and P₁₂ are dense random matrices, then evenbetter security is achieved, but then the matrix multiplications thatwere done locally by C1 and C2 (such as in step 6(a)-(b) above), andthat took O(n²) local computation time, should no longer be done locallybecause they would now take O(n³) time. They can be outsourced accordingto disguise procedure DP5 hereof.

Convolution of Two Vectors

[0308] Recall that the convolution vector z of two vectors x and y (bothof size M), denoted as z=x

y, is another vector of size M defined by$z_{i} = {\sum\limits_{k = 0}^{M - 1}{x_{i - k}y_{k}}}$

[0309] where all indices are modulo M, and 0≦i≦M−1. A reverseconvolution is when the subscript of x in the above equation is i+krather than i−k. The methods of the present invention described hereinalso work for reverse convolution.

[0310] An example of solving a convolution problem according to themutually secure outsourcing methods of the present invention follows. Inthis example, customer C1 has data vectors x, x′ and customer C2 hasdata vectors y, y′ (all of which are of size M). The problem is to useagent A so that C1 obtains x′+y′+x

y, C2 obtains x′+y′+x

y, and (as usual) A learns nothing about the private data of C1 or C2 orthe answer to their computation, and neither C1 nor C2 learn anythingabout the other party's inputs, other than what can be derived fromknowing the answer each receives from the outsourced computation.Essentially the same methods (with minor modifications) solve theasymmetric version of the problem, in which only C1 is to know x′+y′+x

y. Of course, the special case when both x′ and y′ are zero is theoriginal (unmodified) convolution problem, which is therefore solved asa special case of the schemes given below.

[0311] Two alternative methods of solving this example are provided. Thecomplexity of either method is linear in the size of the inputs, i.e.,it is O(M). The amount of local computation done by C1 and C2 is O(M)time, so it is A that bears the brunt of the computational burden (whichis superlinear for convolutions). All vectors in what follows are of thesame size M.

[0312] We formulate the first method for the asymmetric case, when C1(but not C2) is supposed to learn x′+y′+x

y. Although one could solve the symmetric version of the problem byrunning the asymmetric one twice (with the roles of C1 and C2interchanged in the second run), various optimizations are possible ifone combines these two runs in the symmetric version of the secondmethod discussed hereinafter. The second method is formulated below forthe symmetric case. It is understood that the essential idea of eithermethod works for both the symmetric and asymmetric versions of theproblem.

[0313] Method 1

[0314] 1. C1 and C2 jointly generate two random vectors R and R′.

[0315] 2. C1 sends to A the vector x+R, and C2 sends to A the vectory+R′.

[0316] 3. C2 generates a random vector r and sends to A the vector r−y′.

[0317] 4. A computes the convolution of vector x+R and vector y+R′, addsto it the vector r−y′ received from C2 in Step 3, and sends the resultto C1. In other words, C1 receives result w where

w =( x+R)

(y+R )+ r−y′.

[0318] 5. C1 engages, with an outside agent A′, in a secure (justtwo-party—not involving C2) outsourcing method a type discussed hereinfor computing vector w₁=(x +R)

R′. Recall that this is done without revealing to A′ either (x +R) orR′. Similarly, C2 uses A′ to obtain convolution y

R and then sends to A vector w₂=y

R+r. It is preferred, but not required, that A′ be different from A. Thepurpose of this step is to get A′ to do the bulk of the computationaltask of convolution computations, so that C1 and C2 only performcomputations that take time that is linear in relation to the size oftheir data. This step can be skipped if we do not mind C1 and C2performing local computations (without using A′) that take superlineartime.

[0319] 6. C1 then computes w−w¹−w₂, which is equal to x

y+y′. By adding x′ thereto (which C1 originally knew), C1 then mayobtain the desired “x

y+y′+x′.”

[0320] Method 2

[0321] 1. C1 and C2 jointly generate four random vectors r, r, R, R′.

[0322] 2. C1 engages, with an outside agent A′, in a secure (justtwo-party—not involving C2) outsourcing method of a type discussedherein for computing x

R′. Recall that this is done without revealing to A′ either x or R′.Similarly, C2 uses A′ to obtain R

(y+R′ ). It is preferred, but not required, that A′ be different from A.As before, the purpose of this step is to get A′ to do the bulk of thecomputational task of convolution computations, so that C1 and C2 onlyperform computations that take time linear in relation to the size oftheir data. This step can be skipped if we do not mind C1 and C2performing local computations (without using A′) that take superlineartime.

[0323] 3. C1 sends to A the vectors w₁=x+R and s₁x

R′+r−x′ (where x

R′ is available to C1 from the previous step).

[0324] 4. C2 sends to A the vectors w₂=y+R′ and s₂=R

(y+R′)+r′−y′ (where R

(y+R) is available to C2 from Step 2).

[0325] 5. A computes v=w₁

w₂−S1 −S₂, which equals x

y+x′+y′−(r+r); A then sends v to A and B.

[0326] In the asymmetric version of the problem (in which only C1 is toknow x′+y′+x

y), A does not send anything to C2 in this step.

[0327] 6. C1 (and, in the symmetric version of the problem, C2) thencomputes v+(r+r′), which equals the desired “x

y+x′+y′.”

[0328] It is within the scope of the present invention that operationsother than the convolution product can be carried out using suitablymodified versions of either one of the above two methods. As discussedhereinafter, these include matrix product, in which case C1 and C2 eachwould have private matrices, and r, r′, R, R′ would be random matrices.

[0329] In another embodiment of the present invention, the secureoutsourcing techniques discussed above are used to provide matchingbetween a first piece of data and a second piece of data. For instance,the computing center 50 can be used to provide template matching inimage analysis, facial image matching, hand geometry matching,fingerprint matching, DNA matching, retinal scan matching, iris patternmatching, signature matching, voice print matching, credit cardmatching, approximate string similarity, and in similar applications. Inthis embodiment, the first subsystem 30 illustratively providesdisguised data to the computing center 50. Subsystem 330 also providesdisguised data such as data from a database to computing center 50.Computing center 50 then compares the disguised data received fromsubsystem 30 to the disguised data received from subsystem 330 todetermine if a match is present. If so, computing center 50 returns a“yes” answer to subsystem 30. If no match is found, computing centerreturns a “no” answer to subsystem 30. The data from subsystems 30 and330 must be disguised in the same way to enable the matching. Thecustomers C1 and C2 illustratively communicate over the network 40 in asecure manner to exchange disguise information used to generate thedisguised data.

[0330] In an embodiment of the present invention shown in FIG. 5,subsystem 30 is coupled to a separate function controller 31. If a matchis verified from computing center 50, computer 32 of subsystem 30provides instructions to perform a certain function to functioncontroller 31. For instance, if an identity match is made, computer 32enables a function such as approving access to an area of a building,automatically unlocking a door, approving a business transaction such asa credit card transaction, a banking transaction, an e-commercetransaction, and other forms of business transactions as would occur tothose of skill in the art.

[0331]FIG. 6 is a flowchart illustrating steps performed to obtainmatching information and perform a transaction or function in accordancewith the present invention. First, biometric or other data is obtainedby computer 32 using an input device 36 as illustrated in the step shownas block 340 of FIG. 6. Illustratively, the input device 36 may be afingerprint reader, voice print reader, face or hand geometry reader,iris or retina scanner, a bar code reader, and RF or IR receiver, amagnetic stripe reader, a smart card reader, or other type of inputdevice. The data is then formatted using standard formatting procedures.For example, biometric data may be formatted using CBEFF format whichfacilitates biometric data interchange between different systemcomponents and facilitates operability of biometric-based applicationprograms and systems.

[0332] Once the data is obtained and formatted in the step shown asblock 340, subsystem 30 exchanges disguise information with subsystem330 and/or computing center 50 in a secure 1 manner over network 40 asillustrated in the step shown as block 341. Computer 32 then uses thedisguise information to disguise the data in the step shown as block 342using the disguise techniques discussed herein or other suitabledisguise techniques. Disguised data is then transmitted to the computingcenter 50 illustratively via network 40 as illustrated in the step shownas block 344. Computing center 50 may be located at a remote locationsuch as at an outside facility or at another location within the samefacility as subsystem 30. Computing center 50 then compares thedisguised data received from subsystem 30 to disguised stored recordsstored in computer memory 54 or to disguised records received fromanother subsystem such as subsystem 330 as illustrated in the step shownas block 346. If at match is found in the step shown as block 346, thena “yes” answer is transmitted from computing center 50 to subsystem 30via network 40. The transaction or function is then approved by computer34 and performed in the step shown as block 348. If no match is found atstep 346, then a “no” answer is transmitted from computing center 50 tosubsystem 30 via network 40. The transaction or function is then deniedby computer 34 as illustrated in the step shown as block 350.

Image Analysis

[0333] Determining if one image is a subset of another arises in manysituations. For example, private image information (e.g., a person'sface or a picture of the entrance to King Solomon's mines) can becompared to a secret set of images (e.g., photos of suspected foreignagents or spy satellite pictures) according to mutually secureoutsourcing techniques of the present invention.

[0334] In an embodiment of image analysis according to the presentinvention, customer C1 possesses an N×N image I, and customer C2 possesa smaller n×n image object P. Image I can be viewed as a N×N imagematrix, and image object P can be viewed as a n×n image matrix.Customers C1 and C2 desires to compute, with the help of Agent A an(N−n+1)×(N−n+1) score matrix C_(I,P) of the form: $\begin{matrix}{{C_{I,{P{({i,j})}}} = {\sum\limits_{k = 0}^{n - 1}{\sum\limits_{k^{\prime} = 0}^{n - 1}{f\left( {{I\left( {{i + k},{j + k^{\prime}}} \right)},{P\left( {k,k^{\prime}} \right)}} \right)}}}};} & {{0 \leq i},{j \leq {N - n}}}\end{matrix}$

[0335] for some function f(x,y). Score matrices are often used in imageanalysis, specifically in image template matching, when one is trying todetermine whether (and where) an object occurs in an image. A smallC_(I,P)(i,j) indicates an approximate occurrence of the image object Pin the image I (a zero indicates an exact occurrence). C1 and C2 do notwish to reveal to A either I or P or the score matrix C_(I,P)(i,j).

[0336] Frequent choices for the score matrix function f(x,y) aref(x,y)=(x−y)² and f(x,y)=|x−y|. First, consider the case wheref(x,y)=(x−y)². Accordingly, the score matrix C_(I,P) takes on the form:${{C_{I,{P{({i,j})}}} = {\sum\limits_{k = 0}^{n - 1}\quad {\sum\limits_{k^{\prime} = 0}^{n - 1}\quad \left( {{I\left( {{i + k},{j + k^{\prime}}} \right)} - {P\left( {k,k^{\prime}} \right)}} \right)^{2}}}};\quad {0 \leq i}},{j \leq {N - n}}$

[0337] The score matrix function for the case f(x,y)=(x−y)² ismathematically equivalent to:

f(x,y)=(x−y)² =x ² +y ²=2xy,

[0338] and can be viewed as the sum of three matrices M′, M″, M, eachcorresponding to one of the above three terms on the right-hand side.Let M′ (and respectively, M″) be the matrix that corresponds to the x²term (and respectively, the y² term). Thus, M′ depends on only image Iand is computed by C1 in O(N²) time. Accordingly, although thiscomputation can be outsourced if desired, performing the computation iswithin the computational limitations of C1. Likewise, M″ depends on onlyimage object P and is computed by C2 in O(n²) time. Outsourcing of thiscomputation is possible if desired, but performing the computation iswithin the computational limitations of C2.

[0339] The matrix M that corresponds to the xy term is a two-dimensionalreverse convolution. Computation of matrix M can be accomplished throughthe use of either method described above (as “Method 1” and “Method 2”)for one-dimensional convolutions, as adapted for use in the computationof two-dimensional convolutions. The following substitutions are madeinto Method 1 and/or Method 2 to accomplish this:

[0340] image I replaces x

[0341] matrix M′ replaces x′

[0342] image object P replaces y

[0343] matrix M″ replaces y′, and

[0344] matrix M replaces x

y

[0345] The remainder of the computation proceeds as described above.Accordingly, C1 (and, if desired, C2) receive the result x′+y′+x

y, which equates to M′+M″+M. The result of M′+M″+M is score matrixC_(I,P). Thus, for the score matrix function f(x,y)=(x−y)², mutuallysecure computation of the C_(I,P) score matrix is achieved.

[0346] Second, in the second case where the score matrix function is ofthe form f(x,y)=|x−y|, the score matrix function f(x,y)=|x−y| reduces tof(x,y)=max(x,y), because |x−y|=max(x,y)+max(−x,−y). However, this simplereduction should not be used “as is” because it would reveal more thanjust the overall score matrix. It would reveal one score matrix formax(x,y) and another for max(−x,−y), which provides more informationabout image I and image object P that is necessary.

[0347] However, a practitioner of this embodiment of the presentinvention can use a slightly modified version of the f(x,y)=max(x,y)score matrix function that gives C1 and C2 the score matrix C_(I,P) aswell as two random matrices generated, respectively, by C1 and C2. Thismodified version is then used twice—once for each of the max(x,y) andmax (−x,−y) in the above equation —and then the two random matrices aresubtracted out by C1 and C2 (with each other's help). Accordingly, it islegitimate to consider the f(x,y)=|x−y| problem to be reduced to thef(x,y)=max(x,y) problem modified in the above-mentioned way. Therefore,in the discussion which follows, the modified score matrix functionf(x,y)=max(x,y) is used, but two random matrices (one from C1 and onefrom C2) end up added to the resulting score matrix C_(I,P).

[0348] The method for this embodiment uses as a subroutine atwo-dimensional version of a securely outsourced convolution techniqueof the present invention. Let S be the alphabet, i.e., the set ofsymbols that appear in I or P. For every symbol xεS the following Steps1-6 are performed:

[0349] 1. C1 replaces, in I, every symbol other than x with 0 (every xin I stays the same). Let I_(x) be the resulting image. C1 alsogenerates a random matrix M_(A,x).

[0350] 2. C2 replaces every symbol that is less than or equal to x with1 in P, and replace every other symbol with 0. Let Px be the resultingimage. C2 augments Px into an N×N matrix Π_(x) by padding it withzeroes. C2 also generates a random matrix M_(B,x).

[0351] 3. Using a mutually secure outsourcing method of the presentinvention, agent A computes D_(x)=I_(x)

Π_(x)+M_(A,x)+M_(B,x) (where

signifies a reverse convolution in this case). In equation form, agent Acomputes:${D_{x}\left( {i,j} \right)} = {{M_{A,x}\left( {i,j} \right)} + {M_{B,x}\left( {i,j} \right)} + {\sum\limits_{k = 0}^{n - 1}\quad {\sum\limits_{k^{\prime} = 0}^{n - 1}\quad \left( {{{{I_{x}\left( {{i + k},{j + k^{\prime}}} \right)}\left( {\Pi_{x}\left( {k,k^{\prime}} \right)} \right)};\quad {0 \leq i}},{j \leq {N - n}}} \right.}}}$

[0352] 4. C2 replaces, in the original P (i.e., not the P modified byStep 2), every symbol other than x with 0 (every x in P stays the same).Let P′_(x) be the resulting image. C2 augments P′_(x) into an N×N matrixΠ′_(x) by padding it with zeroes. C2 also generates a random matrixM′_(B,x).

[0353] 5. C1 replaces every symbol that is less than x with 1 in theoriginal I, and every other symbol with 0. Let I′_(x) be the resultingimage. C1 also generates a random matrix M′_(A,x).

[0354] 6. Using a mutually secure outsourcing method of the presentinvention, agent A computes D′_(X)=I′_(x)

Π′_(x)+M′_(A,x)+M′_(B,x) (where

signifies a reverse convolution in this case). In equation form, agent Acomputes:${D_{x}^{\prime}\left( {i,j} \right)} = {{M_{A,x}^{\prime}\left( {i,j} \right)} + {M_{B,x}^{\prime}\left( {i,j} \right)} + {\sum\limits_{k = 0}^{n - 1}\quad {\sum\limits_{k^{\prime} = 0}^{n - 1}\quad \left( {{{{I_{x}^{\prime}\left( {{i + k},{j + k^{\prime}}} \right)}\left( {\Pi_{x}^{\prime}\left( {k,k^{\prime}} \right)} \right)};\quad {0 \leq i}},{j \leq {N - n}}} \right.}}}$

[0355] Assuming the above Steps 1-6 have been done for every xεS, C1 andC2 now have the sum of all matrices D_(x)(i,j) and D′_(x)(i,j), whichis:${\sum\limits_{x \in S}\quad \left( {D_{x} + D_{x}^{\prime}} \right)} = {C_{I,P} + M_{A} + M_{A}^{\prime} + M_{B} + M_{B}^{\prime}}$

[0356] where

[0357] M_(A)=Σ_(xεS) M_(A,x)

[0358] M′_(A)=Σ_(xεS) M′_(A,x)

[0359] M_(B)=Σ_(xεS) M_(B,x)

[0360] M′_(B)=Σ_(xεS) M′_(B,x)

[0361] Accordingly, both C1 and C2 have score matrix C_(I,P) thatcorresponds to score matrix function f(x,y)=max(x,y), as well as tworandom matrices, one of which is created by C1 (matrix M_(A)+M′_(A)) andthe other created by C2 (matrix M_(B)+M′_(B)). If C1 and C2 shareinformation about their respective random matrices, both C1 and C2 andderive score matrix C_(I,P). The above requires a plurality oftwo-dimensional convolutions computations. The superlinear computationalburden of these convolutions falls on the outsourcing agent(s) ratherthan on C1 and C2.

Fingerprint Matching

[0362] A visual, pixel by pixel comparison approach to matchingfingerprints has been tried (it was used by law enforcement, etc., fordecades) and found to be too slow for large sets of fingerprints, evenusing computers. Therefore, it is desirable to find a more efficient wayof comparing fingerprints, while keeping the fingerprint informationsecure.

[0363] Fingerprint identification has three distinct levels:

[0364] Level 1: The pattern of ridges are classified into one of a smallnumber of “types” depending on the general shapes of the patterns. Foreach type, some parts (features) are identified, e.g., the center of awhorl or the points where a ridge separates into two branches.

[0365] Level 2: Some simple counts are made using the features, e.g.,the number of ridges crossing a line between two points, or the numberof ridges in a whorl. There are perhaps between about 4 to about 20possible Level 2 classes, depending on the fingerprint type andparticular point features used. The classes, plus the associated counts,generate a system with many thousands of classifications. However, realfingerprints are not evenly distributed among these classes and thechances of an accidental match can be as low as one in a thousand forthe more common classes.

[0366] Level 3: Minutia are small details such as: a ridge with a break,two ridges joined, a ridge has an “island” in it, a bridge (short ridge)joining two ridges. There are hundreds of minutia on a real fingerprint,many more than enough to make fingerprints unique among all the peoplein the world.

[0367] A Level 2 classification comprises a list of classes followed bythe counts in each class. Two fingerprints are compared by matchingthese lists. The comparison is approximate because counts sometimes varyby one, due to effects in taking fingerprints.

[0368] According to the present invention, fingerprints can be disguisedat Level 2 by mapping the image domain (a rectangle) by a random, smoothfunction. This preserves the classification while hiding the actualfingerprint into another rectangle. Then the resolution is decreased sothat main ridges are clearly visible, but the minutia are not.Alternatively, disguised fingerprints can be compared by making severaltwo-dimensional transforms of each image and comparing these. This addsgreatly to the accuracy of identification when combined with theclassification.

[0369] Fingerprints are compared at Level 3 by examining the minutiacarefully (usually with magnification). Each minutia is typed andlocated on a portion of the image. Even a quarter of a fingerprint hasabout 100 minutia. Some of the minutia are innate to the person andothers are the result of injuries, unclean fingers or fingerprintingdevices, etc. Perhaps 20-40% of the minutia in a fingerprint are notinnate, due to temporary and processing effects. However, the remaining60+% of innate minutia still provide ample basis to identify someoneconclusively, provided the portion of the fingerprint available isreasonably large.

[0370] In an embodiment of the present invention, the minutia arerepresented as a network (planar graph) of nodes with data at each node.Subgraphs of these graphs can be represented as strings and thendisguised. The subgraphs to be compared in this way are identified usingsuch means as would occur to those of skill in the art.

[0371] The string comparison method of disguise procedure DP18 discussedherein can be adapted for use to measure the similarity of the disguisedsubgraphs. Accordingly, a subgraph of fingerprint submitted forcomparison comprises string T of disguise procedure DP18. A knownfingerprint image, such as for example, a fingerprint image from a lawenforcement organization's database, comprises pattern P of disguiseprocedure DP18. Score matrix CT,P is calculated according to DP18.

[0372] In an embodiment, the comparison of fingerprints can beoutsourced with mutual security. A person can have his fingerprint takenand disguised. Then it can be compared by an agent A againstfingerprints of known persons disguised in the same way. A person'sidentity is kept confidential through the disguise of his fingerprint.Further, such a procedure can be automated such as, for example, throughthe use of a device that automatically applies the disguises to afingerprint as its imprint is taken, and then automatically compares thefingerprint against known fingerprints without giving any externalaccess to the fingerprint under comparison.

[0373] In an exampled of mutually secure fingerprint comparisonaccording to the present invention, police department C1 has fingerprintimages from several possible suspects. The FBI (C2) agrees to check themfor prior criminal records, but neither C1 nor C2 has the authority torelease fingerprint images to the other. C1 and C2 agree to checkwhether and fingerprints held by C1 matches any fingerprints in thefiles of C2, using the mutually secure computational outsourcingtechniques of the present invention. As discussed above, the mutuallysecure computational outsourcing methods of the present comprisingstring matching may be adapted for such a comparison.

[0374] The mutually secure outsourcing methods of the present inventionmay be adapted for many forms of computations, including computationswhere the information for the computation is held by three or moreparties. In general, according to the present invention, the partiesagree on a mutually acceptable disguising operation, each party appliesthe disguising operation to its part of the data, the disguised data isoutsourced for computation, one or more disguised results are received,and, if necessary, the parties exchange the unveiling data so that eachparty can unveil the actual result(s) of the computation.

[0375] Oil Exploration (Seismic Data Analysis).

[0376] In an example comprising analysis of seismic data, companies C1and C2 have seismic data on adjacent or intertwined geologic regions. Agraphical representation of such a geological structure is shown in FIG.7. Company C1 has seismic data on region x of FIG. 7. Company C2 hasseismic data on geologic region y of FIG. 7. The desired informationpertains to the geological structure for the area bounded as shown atthe bottom of FIG. 7, comprising a portion of region x and a portion ofregion y. Companies C1 and C2 agree to combine their respective data forcomputations and share the resulting characteristics of the desiredgeological structure generated from the computations, without actuallyexchanging the data about geologic region x or geologic region y.

[0377] It is known in the art that geologic structure computations mayinvolve a sequence of solving a plurality of subproblems, and themethods of the present invention are adaptable for this purpose. Inaddition, in some cases, a practitioner may need to disguise only theinitial phases of the calculation to achieve an appropriate level ofsecurity.

[0378] Identity Matching.

[0379] In the following examples, a comparison of identification data isdesired by two owners of such identification data.

[0380] (A) Person C1 and police department C2 have DNA sequences. PersonC1 might want to prove that he is not one of a set of crime suspects, anescaped felon, etc., without providing police department C2 with hisDNA. Person C1 and police department C2 may agree to check whether C1'sDNA matches any sequence held by C2, using the mutually securecomputational outsourcing techniques of the present invention. Themutually secure computational outsourcing techniques involving stringcomparison may be adapted for such a comparison.

[0381] (B) A customer C1 presents his credit card with embedded privateinformation (e.g., card number, retinal scan, fingerprints, voiceprint). Merchant C2 asks to check it against a list of stolen,fraudulent or invalid cards before letting the customer purchase anitem. Using the mutually secure computational outsourcing techniques ofthe present invention, merchant C2 can do so without distributing thecustomer C1's private information to holders of the lists of bad cards,and without seeing the information itself. The mutually securecomputational outsourcing techniques involving string comparison may beadapted for such a comparison.

[0382] Approximate String Similarity.

[0383] The mutually secure computational outsourcing techniques of thepresent invention can be adapted for checking whether two strings aresimilar. Examples of such applications include analyzing if two texts(e.g., manuscripts or computer programs) are similar, such as, forexample, to check for plagiarism or software piracy. However,application of the mutually secure computational outsourcing techniquesof the present invention to string similarity analysis is not the sameas in image matching or string matching. In string similarity analysisit is necessary to allow variability in string element during theanalysis, to account for the fact that some text or software code mightbe deleted, added or replaced by text or software code of a differentlength.

[0384] Multi-Component Simulation.

[0385] In an example comprising two manufacturers wherein manufacturerC1 has a gas turbine compressor design and manufacturer C2 has a gasturbine combustor design. Manufacturers C1 and C2 wish to know theperformance of gas turbine made of these components, but they do notwant to reveal their designs to each other. Such a simulation mayinvolve the solution of a very large systems of equations. Thus, C1 andC2 could independently create their simulation equations, agree on howthey interface and on a disguise technique, and then have the combinedequations outsourced for solution using a mutually secure computationaloutsourcing technique of the present invention.

Disguise of Planar Graphs

[0386] A planar graph is a set of nodes that is connected by edges(lines) and the nodes may have data (such as, for example, coordinatesand/or other data elements) associated with them. A simple example of aplanar graph is shown in FIG. 8. Shown in FIG. 8 in association witheach node are the coordinate of the node, and a data element comprisinga color.

[0387] To disguise a planar graph, an algorithm is used to convert theplanar graph to a character string. The data associated with the nodesthen may be embedded in this string. One or more of the disguiseprocedures of the present invention can be used to disguise theresulting string.

[0388] Planar graph applications generally involve graphs withparticular structure and patterns that can be used to simplify thedisguise procedure. One illustrative software product for generatingplanar graphs is Visionics Inc.'s Face It system. Two examples,fingerprint comparison and human face recognition, illustrate theapplication of disguise techniques to planar graphs.

[0389] Human face recognition can be done by the “pixel by pixel”comparison approach. However, the number of comparisons requiredsuggests that the pixel by pixel comparison approach is not the mostdesirable way to perform this comparison. Another drawback of thepixel-by-pixel approach is that the two pictures desired to be comparedmust be scaled to have the same size and they must be transformed sothey are seen from the same direction. Even after this is done, apotentially large computation awaits. Therefore, it is desirable to finda more efficient way of comparing human face images. It is alsodesirable, in certain circumstances such as law enforcement, to protectthe identities of the individuals whose faces are being compared.

[0390] The present invention comprises a method of disguising an imageof a first human face, and comparing the disguised facial image againsta disguised image of a second human face. A practical application ofthis method is for human face recognition. An example of human facecomparison using a disguise operation is illustrated by FIGS. 9 and 10.Disguised images are useful when it is desired to maintain secret theidentity of the person depicted in an image of a human face. Secrecy ismaintained because the comparison operation is performed using disguisedinformation, and access to the code for unveiling the disguisedinformation is restricted. As shown in FIG. 9, and in the step shown asblock 910 of FIG. 10, a number of points may be located on an image of ahuman face using computer programming logic. These points form a graphas illustrated in FIG. 9. The graph is “fixed,” i.e., the same graph isused for the first facial image and the second facial image. Only thecoordinates of the graph points and the data elements (if any)associated with the graph points change between the first facial imageand the second facial image.

[0391] The coordinates of each graph point for each of the first facialimage and the second facial image are determined in the step shown asblock 920 of FIG. 10. If the facial images to be compared are not of thesame size, a practitioner of the present invention must scale them tohave the same size. If the facial images are not seen from a frontalview, a practitioner of the present invention should adjust thecoordinates to generate frontal view coordinates.

[0392] To disguise each of the planar graphs, a vector for each graph iscreated. The planar graph representation of each facial image, such asthat shown in FIG. 9, is reduced to a vector of N integers, in the stepshown as block 930 of FIG. 10, by numbering the nodes and listing thegraph point coordinates in numbered order. The data associated with thenodes then may be embedded in this vector.

[0393] In the step shown as block 940, the vector for the graphrepresentation each of the first and the second facial image isdisguised through the following steps, executed using computerprogramming logic: (1) a random permutation of the integers 1 to N isperformed, and the vector is reorder accordingly; and (2) a randomvector of N numbers in the range of about 20% (or more) of the facecoordinate value range is generated, and this random vector is added tothe previously reordered vector. If each graph representation isdisguised using the same disguise technique, the disguised facial imagesfor each of the first and the second facial images then may be comparedby using a traditional comparison technique known in the art, such asthe least squares or maximum distances between vectors method. When acomparison is determined to be successful, then the facial graphrepresentations may be unveiled, using programming logic to perform thereverse function of the disguising operation and reveal the facialimages.

[0394] The disclosed planar graph-based approaches to identificationusing disguise operations may be adapted for use in many additionaldiverse situations, including, for example, recognizing birds,airplanes, vehicles, furniture, buildings, and the like.

Securing Data and Files

[0395] There are many security risks against which it is desirable toprotect data and program files. For example:

[0396] Image Theft, wherein an entire computer system (such as aportable or handheld device), file system or database (such as would bestored on computer disks, CD-ROMs, or other storage medium) containingan electronic image of the entire data set, is taken or copied;

[0397] Data Theft, wherein an end user accesses a computer system andobtains or copies some part of the data (for example, by printing theinformation displayed on a display screen coupled to the computersystem, or by obtaining access to the data through a breach insecurity);

[0398] Tampering by Unauthorized Persons, wherein an end user accessesthe system and changes some part of the data without the properauthorization; and

[0399] Tampering by Authorized Persons, wherein an end user with properauthorization changes some part of the data in an erroneous, unintended,or improper way.

[0400] Data sets stored on a computer normally are accessed, either byan end user or a computer program, through an access program. Forexample, a word processing program is an access program for a datasetcomprising a word processing document, a database system is an accessprogram for a data set comprising financial information, a digital musicreader is an access program for a data set comprising a digital musicfile, and a MPEG viewer is an access program for a data set comprising amotion picture.

[0401]FIG. 11 shows a diagrammatic representation of a system forsecuring data and files according to the present invention. As shown inFIG. 11, memory 300 of a computer system 400 comprise an access program500 and an associated data set 600. Memory 300 may comprise one or morecomputer memory components of the solid-state electronic type,electromagnetic type such as a hard disk drive, optical type like aCompact Disk Read Only Memory (CD ROM), a combination of any two or moreof the foregoing, or another memory configuration as would occur tothose skilled in the art. Data set 600 comprises data or information,such as, for example, a document, spreadsheet, digital music file, orother form of electronically stored data or information as would occurto those skilled in the art. For example, if data set 600 comprises adocument, then a document reader, such as the software known by thetrade name Adobe Acrobat, can be used to access and read, or “unveil,”the data set 600. In this example, the Adobe Acrobat reader is accessprogram 500.

[0402] An embodiment of the method for securing data and files accordingto the present invention comprises performing a disguise operation ondata set 600, and tamperproofing access program 500. As used herein,“tamperproofing” comprises the application of one or more of thetechniques described in U.S. application Ser. No. 09/455,580, filed Dec.6, 1999, which is incorporated herein by reference. A high degree ofsecurity may be achieved by disguising data set 600 according to themethods described herein in conjunction with tamperproofing accessprogram 500. However, other embodiments of the present invention mayobtain moderate security simply by disguising data set 600, withouttamperproofing access program 500.

[0403]FIG. 12 shows a flow chart illustrating an embodiment of a methodfor securing data and files according to the present invention. In thestep shown in the step shown as block 710 of FIG. 12, data set 600 isselected. Selection of data set 600 may be accomplished by a human enduser via a user interface coupled to computer system 400, or by acomputer program using computer programming logic. Also in the stepshown as block 710, access program 500 for data set 600 is selected.Ordinarily, access program 500 is selected automatically using computerprogramming logic based on the data set 600 selected, but this is notalways the case. Access program may be selected by a human end user viaa user interface coupled to computer system 400.

[0404] In the step shown as block 720 of FIG. 12, the selected data set600 is disguised using on or more of the data disguise techniquesaccording to the present invention. The disguise technique selected fordisguising data set 600 may be embodied in computer programming logic.Where the disguise technique comprises generating random numbers to beused in disguising data set 600, the computer programming logic mayinclude a “key” that comprises one or more seeds for generating randomnumbers.

[0405] In an embodiment, data set 600 is disguised in the step shown asblock 720 using a disguise technique that modifies the data set 600 insome way. For example, a random number may be generated corresponding toeach data element in data set 600. Each data element in data set 600 maybe modified by adding a random number to the data element. In anotherexample, the data elements in the data set 600 may be randomlyreordered.

[0406] After data set 600 is disguised, it can be undisguised orunveiled to recover the actual data set 600 using the access program500, which is adapted for that purpose. In an embodiment, access program500 comprises a key for reversing the disguise technique applied to dataset 600 and unveiling the data. Alternatively, the user may be promptedto enter the key through a user interface when the user attempts toaccess data set 600 or access program 500.

[0407] In some situations, the only a small portion of data set 600 needbe disguised to adequately protect it. For example, disguising about1%-2% of a computer program may make it inoperable. Similarly,disguising about 5% of a music file may make it unacceptable forlistening. On the other hand, disguising even 30%-40% of naturallanguage (text or speech) might not make it unusable because of the highlevel of redundancy and context dependency in natural languages.Therefore, stronger protection is needed for data having a high level ofredundancy and context dependency.

[0408] Encryption also can be used to hide the information in data set600. Encryption will be known by those skilled in the art to be aprocess by which data is translated into an unintelligible form using apredefined encryption algorithm. However, if the data is encrypted,instead of disguised, an external agent cannot perform computations onthe data without first decrypting it.

[0409] Disguise techniques have important efficiency advantages overencryption. Disguise operations are faster than encryption because ittakes less work (e.g., programming code) to generate a random number tomodify one element of data set 600 than it takes to encrypt or decryptthe same element. In addition, the encrypted data must be decryptedprior to performing a computation. In a computation outsourcingtransaction, the outsourcing agent, such as, for example, computingcenter 50, has access to the actual data after it is decrypted, therebycompromising security.

[0410] Another advantage arises if data set 600 comprises real numbers.A disguise operation according to the present invention can treat thesereal numbers as atomic units rather than bit strings. Accordingly,computer hardware's floating-point processor may be used directly toperform a disguising operation, resulting in a substantial gain inefficiency.

[0411] Referring back to FIG. 12, in the step shown as block 730 thereofaccess program 500 is tamperproofed. In an embodiment, thetamperproofing technique(s) selected for access program 500 is/areembodied in computer programming logic, wherein access program 500comprises an input to the computer programming logic, and atamperproofed access program 500 comprises an output therefrom. Althoughdisguising data set 600 protects against image and data theft, it doesnot protect against tampering or theft of the access program 500 whichis used to unveil data set 600. Accordingly, tampering, theft, orunauthorized use of access program 500 may reduce the security of dataset 600. The misappropriation of data set 600, and the tampering, theft,and/or unauthorized use of the access program 500, both can be preventedby tamperproofing access program 500 in combination with disguising dataset 600.

[0412] One tamperproofing technique according to the present inventioncomprises obfuscating the computer programming code of the accessprogram 500 to make to code difficult for an attacker to understand andanalyze, but without sacrificing of any capabilities of access program500. However, even obfuscated code may be attacked by executing accessprogram 500 on a hardware simulator and then observing all thecomputations and data flow. In particular, when random numbers are usedin disguising data set 600, an attacker might be able to observe therandom numbers being generated and where they are used. This couldcompromise the security of data set 600. This kind of attack isexpensive, but well within the capability of sophisticated anddetermined attackers.

[0413] There are steps that can be taken to defeat such an attack, asshown in FIG. 13. In the step shown as block 810 thereof, access program500 is partitioned into two parts: access authorization program 510 andunveiling program 520. Access program 510 is operable to determinewhether execution of unveiling program 520 is authorized. Unveilingprogram 520 is operable to unveil data set 600.

[0414] In the step shown as block 830, access authorization program 510is executed. Access authorization program 510 determines, in the stepshown as block 840, whether execution of unveiling program 520 isauthorized. In so doing, access authorization program 510 may verifythat the user and/or the computer attempting to access data set 600is/are authorized to do so. For example, the user may be required toprovide a password, or may be required to provide biometric input, withaccess authorization program 510 then comparing the password orbiometric input to a predetermined value. In another example, thecomputer's serial number or other unique identifier may be evaluated,and compared to a predetermined value by access authorization program510. Other forms of authorization which may occur to those skilled inthe art also may be employed in access authorization program 510.

[0415] In an embodiment of the present invention, access authorizationprogram 510 may check for the presence of a correct physical outputdevice in the step shown as block 840. For example, access authorizationprogram 510 may determine whether the expected audio output device ispresent for a data set comprising a music file, or whether ananticipated internal electronic path exists on a chip for a data setcomprising a database. Assuming that a physical output device cannot besimulated completely, access authorization program 510 is both protectedby tamperproofing and secure against a hardware simulation attack.Accordingly, access authorization program 510 becomes very difficult tomodify, even by an authorized user, without the loss of essentialcapability. Data set 600 likewise is protected.

[0416] If access is authorized in the step shown as block 840, unveilingprogram 520 and data set 600 are “entangled” in the step shown as block850, as described below. According to an embodiment of the presentinvention, the unveiling program 520 is executed on computer system 400to generate a sequence of random numbers. In one implementation of thisembodiment, a looping process is used. According to this implementation,data elements from data set 600 comprise inputs into the loopingprocess. Thousands of statements are involved and most are used in anexecution of the program, yet only a small number (about 5 to 10) of thestatements perform necessary steps of the computation. The otherstatements are obfuscated which makes it very hard for anyone tounderstand how the program works and thereby remove the securityprotection.

[0417] The sequence of generated random numbers is divided into aplurality of random number generated code segments L_(i), eachcomprising an “unveiling code.” Data set 600 is divided into acorresponding number of data segments D_(i). Then, the codes for therandom number generated segments L_(i) are interleaved between the datasegments D_(i), and the resulting interleaved segments are stored asdata set 600. Accordingly, data set 600 now contains the sequence L₁,D₁, L₂, D₂, . . . L_(n), D_(n), . . . , where each L_(i), D_(i)represent the same part of the original data set 600. Each unveilingcode L_(i) then is executed by unveiling program 520, unveiling itscorresponding data segment D_(i).

[0418] In another embodiment, the function of each unveiling code L_(i)is further enlarged so that it does the following:

[0419] (A) Retrieves the seed of the random number generator fromL_(i−1);

[0420] (B) Generates a number N_(i) of random numbers and the locationswhere they are to be used to unveil D_(i);

[0421] (C) Unveils D_(i) and outputs the resulting information; and

[0422] (D) Prepares the seed for L_(i+1) and transfers control toL_(i+1).

[0423] In alternative embodiments, the program 520 and data set 600 arefurther entangled for higher levels of security.

[0424] Disguise of data set 600 may be further enhanced by insertingsmall false data pieces at the beginning or end of one or more D_(i).These false data pieces are created to appear to be data or program codeor both. This makes it much more difficult to separate the unveilingcode segments L_(i) from the data segments D_(i).

[0425] In the step shown as block 860 of FIG. 12, unveiling program 520is executed on an emulator. An emulator is known to those skilled in theart to be a computer program or other device that imitates anotherprogram or device, for example, a computer program that enables an AppleMacintosh computer to emulate an IBM PC computer.

[0426] To create the emulator, a first programming language with 10-15operations is devised. It is known by those skilled in the art that allcomputations can be expressed by such a language (see Introduction toComputers, by J. K. Rice and J. R. Rice, Holt, Rinehart, and Winston,1969, incorporated by reference herein for a concrete example). Thus, itwill be readily accepted by those skilled in the art that there are manyalternatives for this language and its implementation.

[0427] Next, an emulator for this first programming language is written,using a second programming language that runs on computer system 400.Once the emulator is defined, then the code for unveiling program 520 isexpressed in the emulator language rather than in its originalprogramming language. The benefit from using an emulator rather thanexecuting unveiling program 520 in its original language is twofold.First, and less significant, is that the code for unveiling program 520is further obfuscated because it is expressed in an made-up emulatorlanguage. Second, and more important, is that an attack on the securityof data set 600 using a hardware simulator is no longer effective,because such a simulation only “observes” the execution of the emulatorcode, obscuring the operation of the actual code for unveiling program520 and the delivery of the unveiled data set 600.

[0428] According to the foregoing embodiment, the steps shown as blocks830, 850 and 860 of FIG. 12 all are performed. However, it is within thescope of the present invention to perform only one, or only two of thesteps shown as blocks 830, 850, and 860 to disguise the information 600.

[0429] There are two security risks that are not mitigated by the abovetechniques that are believed to be unavoidable. First is the recordingattack, which is easily illustrated by music or video data. One simplyruns the data through the player (output) device and then makes an audioor video recording is made of the output. This approach will alwaysproduce some perturbation in the data set 600, but with excellentplayers and recorders, the difference may not be apparent to a humanobserver.

[0430] The second risk is the tampering of data by persons authorized tochange the data, i.e., those whose identity satisfies the step shown asblock 840 of FIG. 12. One technique to overcome this problem, one canprevent everyone from changing the data in data set 600. This is morepractical than it seems at first sight. One can keep the data unchanged,but add authorized “notes” about the data. For example, one can have thenote “The deposit on May 7, 2001 is to be changed to $6,459.23. Thebalance for account 123-4567-8901 after May 7, 2001 is increased by$4,000.00. Authorized by Paul B. President on May 7, 2001.” In such acase, access program 500 then must not only access the data, but alsoall the relevant notes.

Disguise Of Databases

[0431] Disguising symbolic information through the use of mathematicalidentities is discussed herein. The idea is, for example, to replace xin a symbolic formula by x*(sin² x+cos² x), which changes nothingcomputationally since sin² x+cos² x=1, but which obfuscates the symbolicinformation. Such identities may not be as useful in non-scientificapplications, since the use of mathematical functions may not occurfrequently in such nonscientific applications. Thus their use indisguising information in nonscientific applications would signal whereand perhaps how the disguising is accomplished. Therefore, it isdesirable to have a disguise technique that can be used innon-scientific applications, and, in particular, it is desirable to beable to disguise computer programs to protect them from the securityrisks discussed herein and other known in the art.

[0432] A database is known by those skilled in the art to be acollection of information stored on one or more computers and organizedso that the information can be accessed by a computer program or by anend user via a user interface. Because a database includes manyindividual items of data, it is desirable to find an efficient way toprotect these individual data entries from security risks, in additionto securing the database as a whole.

[0433] According to an embodiment of the present invention, to protectindividual entries in a database, each data entry is disguised. However,the access key useable to obtain the information from the databaseregarding the data entry is not disguised. For example, if an end useris searching for information on “John Doe,” the user will be able totype in a request to search for all information on “John Doe” andexecute the search, because this key information is not disguised.However, the data retrieved from the database by the search will bemeaningless to the end user unless the end user has the unveiling code,because the data retrieved from the database is disguised. By disguisingeach individual data entry in the database, the database as a whole isalso protected.

[0434] Conceptually, a database can be represented as a text string anddisguised as such according to the text string disguise techniquesdiscussed herein. While this might be useful for transporting a databasefrom one computer storage location to another, it does not allow thedatabase to be accessed efficiently in normal use.

[0435] A more useful abstraction of a database is that a database is thecombination of an access program with a data set comprising dataentries. Accordingly, in the embodiment of the present invention shownin FIG. 14, the database is partitioned into an access program and aplurality of data entries in the step shown as block 1010. In the stepshown as block 1012, a key or locator is assigned to each entry. Inoperation, the access program takes a request for information andcomputes the correct key or keys. This key is then used to locate therequired information to be returned to satisfy the request. Thus, in amodel of a database, for each data entry i, there are data items:

K(i), D(i,j) for j=1,2, . . . , N

[0436] where K is the key and D is the data set.

[0437] In the step shown as block 1014 of FIG. 14, each key and dataentry is disguised. In one embodiment, the disguise operation addsrandom data and numbers to all data entries. If R denotes a randomnumber generator, the model of the disguised database is, for each dataentry i, there are data items:

K*(i)=K(i)+R(i), D*(i,j)=D(i,j)+R(i+j) for j=1,2, . . . , N

[0438] If the database owner keeps R secret, then this provides a simpleway to secure the database from copying or unauthorized access. If it isnecessary for a third party to access the data, the database owner canprovide only that third party with an access code to unveil a singledata entry of the disguised data.

[0439] In another embodiment of the present invention, disguiseoperations are used where the access program has secure useridentification and usage facilities. Accordingly, a user could enter theaccess program and be authorized to use random number generator R insome constrained private way. For example, the database owner mightallow the user to make just one request from the database. The usercould provide K(i), have K*(i) computed (K*(i)=K(i)+R(i)), and privatelyaccess the data D(i,j)=D*(i,j)−R(i+j). This allows the disguised dataK*(i), D*(ij) to be publicly available and the database owner does notneed to monitor the accesses to the data. The access program containingR should be secure. This security can be achieved by tamperproofing theaccess program. Then, the actual disguised data K*(i), D*(i,j) can bepublicly stored and accessed.

Data Dependent Disguises

[0440] According to the present invention, a disguise can bestrengthened by making the disguise program depend more heavily on theprogram data. Certain disguise methods discussed above are already datadependent in a weak way, specifically where the disguise method dependson:

[0441] 1. Sizes of vectors, matrices, pixel arrays, character strings,etc., and

[0442] 2. Approximate extremes of functions, pixel values, charactersizes, etc.

[0443] It is desirable to find ways to strengthen disguise algorithms toincrease the protection against security risks when the same disguisealgorithm must be used repeatedly, for example, when an outsourcedcomputation requires a large amount of data. Increasing the dependencyof disguise algorithms on the data is one way to accomplish this.

[0444] It is within the scope of the present invention to increase thedata dependency of disguises by, for example:

[0445] (A) using values of one or more data elements to determine atleast a portion of the seeds of the random number generators used. Forexample, in the notation of the disguise programs, settemp=G_(UNIF)(k(1), [0,L]) and then use data(temp) as the seed for therandom number generator where “data” is a vector or matrix element, apixel value, a function value, etc., taken from the problem data. Inmore compact notation, this is using

G_(UNIF)(data(G_(UNIF)(k(1), [O,L₁]), [O,L₂]);

[0446] which means that the seed (of the uniform random number generatorG_(UNIF)) for the second random number generated is derived from thedata value selected by the first random number generated.

[0447] (B) where one or more data elements comprises a function,creating a 5-10% perturbation of one or more of the functions for use asone of the basis functions of a random function space; or

[0448] (C) where one or more data elements comprises a symbolic element,using one or more of the symbolic elements (e.g., sin(3.12x)) or partsthereof (e.g., 3.12=1.09+2.03) to perform a disguising operation.

[0449] The data dependent disguises are helpful because they make thedisguise process more complex and thus more difficult to break.

[0450] The data dependent disguises are especially useful in cases wherea single disguise is used repetitively. For example, if the customer hasa huge number of items to be outsourced, creating individualizeddisguises may be very burdensome. If the same disguise program is usedover and over again, it provides an opportunity for someone to break thedisguise because the random numbers would be used over and over again.If the disguise program is data dependent, this would not happen and theoverall “collection” of outsourced computations would be much moresecure.

Identities for Disguising Computer Programs

[0451] Another embodiment of the present invention comprises computerprogram identities, which change nothing computationally in the computerprogram, but which are effective for obfuscating a computer program toprevent unauthorized access to or use of the program. The obfuscation ofthe computer program occurs through code entanglement where the originalprogram code is entangled with that of the program identities. Theresulting code is known as a “tangle.”

[0452] Desirable features of a tangle include (i) an intentionallycomplex logical structure; (ii) the mixing together of severalsubprograms or threads of control in a way to obscure each of them;(iii) the use of only simple statements to express a computation; (iv)the choice of variable names and statement labels so as to be asmeaningless as possible; and (v) making multiple uses of the variablesinvolved, including misleading variables that are not involved in theunderlying “real” computation. In other words, a tangle is mixing,rewriting, and reorganizing of several computations so as to enhance theobscurity of the program code and to enhance the difficulty inunderstanding or tracing through it.

[0453]FIG. 16 shows a flow chart illustrating a method for creating atangle according to the present invention. As shown in FIG. 16, “dummy”program code, i.e., computer code that performs no meaningful functionand has no effect on the results of the execution of the real computerprogram code, is created in the step shown as block 1110. In the stepshown as block 1120, the dummy program is tangled with the real computercode. An end user looking at the tangled code is unable to determinewhich parts of the code are the real code and which parts are the dummycode.

[0454] Preferably, a tangle is “opaque” in two ways. First, the tanglepreferably is opaque to inspection; a person inspecting the code cannotuntangle the code by reading it or even when using software tools knownin the art, such as debuggers, decompilers, and program monitors.Second, the tangle preferably is opaque to program tracing based onsimulating the hardware, including memory maps at all levels, usinghardware simulators of a type known in the art.

[0455] The following method illustrates code entanglement according tothe present invention. In a first code fragment

(X1, X2)→OP-A→(Y1, Y2),

[0456] OP-A is an operation, X1 and X2 represent values prior to theperformance of operation OP-A, and Y1 and Y2 represent values after theperformance of operation OP-A. In a second code fragment

(a1, a2)→OP-G→(b1, b2)

[0457] OP-G is an operation, a1 and a2 represent values prior to theperformance of operation OP-G, and b1 and b2 represent values after theperformance of operation OP-G.

[0458] It is desired to entangle these code fragments within a tangle.The creation of a tangle comprises two types of input and output:

[0459] Real: The real input is transformed into the real output.

[0460] Dummy: The dummy input is used in the tangle and leads to thedummy output.

[0461] The dummy output need not be used beyond the tangle.

[0462] According to this embodiment of tangle creation, the entanglementmethod proceeds as follows:

[0463] Step 1: Make 5 copies each of X1, X2, a1, a2. Four copies of eachcomprise the dummy input of a tangle. One copy of each comprises thereal input of the tangle.

[0464] Step 2A: When X1 and X2 appear in the real output from thetangle, they are used to perform OP-A(X1,X2) which, in this instance,produces “tempA.” Five copies of tempA then are made. Four copies oftempA comprise the dummy input of a second tangle. One copy of tempAcomprises the real input of the second tangle.

[0465] Step 2G: When al and a2 appear in the real output from thetangle, they are use to perform OP-G(a1, a2) which, in this instance,produces “tempG.” Five copies of tempG are made. Four copies of tempGcomprise the dummy input of a second tangle. One copy of tempG comprisesthe real input of the second tangle.

[0466] Step 3A: When tempA appears in the real output form the secondtangle, it is placed into (Y1, Y2).

[0467] Step 3G: When tempG appears in the real output from the secondtangle, it is placed into (b1, b2).

[0468] The code in the tangle must have two properties. First, it mustbe complicated and mix all the input variables to a considerable degree.Second, it must regenerate the dummy input values from time to timeduring the computation. An illustration of this process is shown in FIG.15. The figure shows OP-A and OP-G outside the tangle, but in practice,these operations would be in the middle of the tangle also. Likewise,the preceding description discussed use of a second tangle. It is withinthe scope of the present invention that use of a second tangle may beaccomplished by a two iterations of a single tangle.

[0469] A code entanglement system has another dimension, namely,multiple statements in both the application and codes. The dummy andreal inputs are mixed across operators, as well as among themselves.

[0470] The steps used to create a large tangle from two smaller ones areas follows:

[0471] Step 1: Create a first Tangle code, T1, similar to that discussedabove in reference to FIG. 15, with real inputs X1, X2, a1, and a2 (asin FIG. 15) replicated approximately 3 to 4 times.

[0472] Step 2: Collect the real outputs Y1, Y2, b1, and b2 (as in FIG.15) at the end of T1 and compute

temp1=2*Y1+Y2

temp2=b1+b2

[0473] Step 3: Create second Tangle code, T2, similar to that discussedabove in reference to FIG. 15, with the inputs temp1 and temp2replicated approximately 3 to 4 times.

[0474] Step 4: Collect the real outputs temp1 and temp2 at the end ofT2, call them temp3 (which has the value temp 1) and temp4 (which hasthe value temp2). Compute

b1=temp4−b2

Y2=temp3−2*Y1

[0475] Step 5: Entangle the program instructions of T1 and T2 in a waythat makes it difficult to distinguish between the program instructionsof T1 and the program instructions of T2, but that does not preventproper execution of T1 or T2.

[0476] This entanglement method can be used multiple times and withmultiple iterations.

[0477] Further, it is within the scope of the present invention that thestatements in Steps 2 and 4 can serve the purpose of advance thecomputation instead of merely obfuscating it. For example, the functionof a program into which an tangle is to be installed may includecomputing “temp1=2 *Y1+Y2” and “temp2=b1+b2,” and then “temp3=Y2−temp2”and “temp4=temp1+b2.” Recall from the discussion of FIG. 15 above thatOP-A had inputs X1 and X2. In this example, OP-A of tangle T2 can be asubtraction operation with input X1 replaced by Y2 and input X2 replacedby temp2. Recall from the discussion of FIG. 15 above that OP-G hadinputs of a1 and a2. In this example, OP-G of tangle T2 can be anaddition operation with input al replaced by temp1 and input a2 replacedby b2. Accordingly, OP-A of tangle T2 computes temp3=Y2−temp2, and OP-Gof tangle T2 computes temp4=temp1+b2.

[0478] The entanglement methods used in T1 and T2 may be completelyindependent and different. In an embodiment, the following practices maybe used to enhance the obfuscation of the tangle codes:

[0479] (A) The dummy outputs of T1 may be also used as inputs to T2.

[0480] (B) The operations “2*Y1+Y2” and “b1+b2” may inserted into thecodes T1 and T2 at various places using new dummy variables, such as,for example, α, β, γ, and δ, for the input and output.

[0481] (C) There may be no clearly defined end of T1 or beginning of T2.For example, in one implementation, the expression “temp1=2*Y1+Y2” couldappear 78% of the way through T1, and the expression “temp2=b1+b2” couldappear 92% of the way through T1. Then temp1 and temp2 could first beused in T2 at 6% and 18% of the way through T2, respectively. Theplacement of temp1 and temp2 in T1 and T2 according to this examplerepresents only one of many possible implementation of this concept.

[0482] (D) The tangle codes T1 and T2 may use very simple operations,without, for example, library calls for operations such as “max,” “min,”or “sign.” Similarly, the use of arrays and array operations may beavoided. In an further example, looping constructs are not used.Instead, loops in T1 and T2 are built from primitive operations usingtests and jumps. Thus, even if the tangle codes T1 and T2 are programswritten in a high level language like C, Fortran, or Java, they areessentially machine language codes.

[0483] Creation of a tangle according to the present invention can beillustrated by the following example. The pseudocode computer program tobe tangled according to this example is designed to execute thefollowing simple computations:

a=2*b+c

x=y+z

[0484] Shown below are four pseudocode segments illustrating stepsperformed in creating the tangle according to an embodiment of thepresent invention. The first pseudocode segment comprises 40 pseudocodeprogram instructions. According to this example of the creation of atangle according to the present invention, these pseudocode programinstructions merely obfuscate the execution of the above computations.They do not advance the execution of these 20 computations.

[0485] The second pseudocode segment comprises pseudocode for a templateprocedure called NORM. In an embodiment, the template procedure NORM hasarguments x, y, k, and parameters a, b, m, and n. The argument xrepresents the input argument to NORM. The arguments y and k representthe output arguments. The parameters a, b, m, and n are used to tailorNORM for specific applications. As shown hereinafter, the NORM procedureis inserted in-line within the tangle code. In an embodiment, it hasseveral parameters in its structure so that where multiple copies ofNORM are inserted into the tangle code, the copies can differconsiderably if desired by a practitioner of the present invention. Inan embodiment, multiple copies of the procedure NORM also use randomnumbers for constants for further differentiation.

[0486] The third pseudocode segment comprises the first pseudocodesegment as expanded by substituting the pseudocode for the procedureNORM (the second pseudocode segment) for each instance where theprocedure NORM is used in the first pseudocode segment. Through thesesubstitutions, the first pseudocode segment is expanded from 40 programinstructions to more than 600 program instructions. However, the thirdpseudocode segment computationally is identical to the first pseudocodesegment. In addition, the program instructions of the third pseudocodesegment serve merely to obfuscate the execution of the desiredcomputations. They do not advance the execution of these computations.

[0487] The fourth pseudocode segment represents sample of approximately60 pseudocode program instructions from the final tangled pseudocodecomputer program, after further processing according to the presentinvention.

[0488] Eighteen arguments are used in generating the tangle codeaccording to this example. The arguments R1, R2, R3 and R4 representreal arguments. The arguments D1, D2, D3, D4, D5, D6, D7, D8, D9, D10,D11, D12, D13, and D14 are dummy arguments. Initially, the arguments areassigned to matrix A, vector V, and variables X1, X2, X3, and X4 asfollows: Matrix A: D1 D2 R1 D3 R2 D4 D5 D6 D7 Vector V: D8, D9, D10, R3,D11 Variables X1: R4 X2: D12 X3: D13 X4: D14

[0489] As shown in more detail hereinafter, these data structures areused in defining the tangle template. However, after the tangle code iscreated, the data structures are “removed” and all arguments are shownin terms of simple variables.

[0490] In the pseudocode which follows, the procedures MAX, MIN,TRANSPOSE, SIGN, ABS, DOTPRODUCT, and NORM are used. The procedure MAXreceives two or more numbers as its input arguments, and then outputsthe largest number in the set of input arguments. The procedure MINreceives two or more numbers as its input arguments, and then outputsthe smallest number in the set of input arguments. The procedureTRANSPOSE receives a matrix as its input argument, and then transposesthe matrix. The procedure SIGN receives a variable as its inputargument, and then outputs a 1 if the argument is positive, a 0 if theargument is 0, or a −1 if the argument is negative. The procedure SIGNalso may receive a vector or matrix as its input, in which case itoutputs the vector or matrix (as the case may be) in which each scalarcomponent x of the vector or matrix has the value SIGN(x). The procedureSIGN receives a variable as its input argument, and then outputs thevariable multiplied by −1. The procedure SIGN also may receive a vectoror a matrix as its input, in which case it outputs the vector or thematrix (as the case may be) in which each scalar component of the vectoror the matrix is multiplied by −1. The procedure ABS receives a numberas its input argument, and outputs the absolute value of its inputargument. The procedure ABS also may receive a vector or a matrix as itsinput, in which case, it outputs the vector or the matrix (as the casemay be) in which the absolute value of each scalar component iscomputed. The procedure DOTPRODUCT outputs the dot product of twovectors received as input arguments. The procedure NORM receives anumber x as its input argument, and outputs a number y that is between 1and 10, and an integer k, such that y and k satisfy the followingequation: x=y*10^(k). The procedure NORM receives a number as its inputargument, and outputs the corresponding base number and exponent in base10, representing the input argument in scientific notation. Theprocedure RAND(−) receives a random number generator seed as its inputargument, and outputs a random number between 0 and 1, according to auniform distribution. According to the present invention, as a tangle iscreated each of these procedures is expanded in-line using lower levelstatements so as to further obfuscate the computations.

[0491] The pseudocode presented below should be viewed as a template forcreating tangle code to obfuscate a computation (such as a=2*b+c,x=y+z). A practitioner of the present invention can further modify thepseudocode in an implementation of a tangle according to the presentinvention by, for example:

[0492] 1. Permuting the order of appearance of items in the matrix Aand/or vector V, and/or reordering the variables X1 through X4.

[0493] 2. Adjusting the dimensions of the matrix A, vector V, and thenumber of variables. For example, the size of matrix A, vector V, andthe variables X are 3×3, 5×1, and 1,1,1,1, respectively. It will beappreciated by those skilled in the art that these sizes can easily bechanged in the pseudocode to be, for example, 2×3, 9×1, and 1,1,1,respectively.

[0494] The following is the first pseudocode segment comprising 40pseudocode program instructions. Note that procedures MAX, MIN,TRANSPOSE, SIGN, ABS, DOTPRODUCT, and NORM are not yet expanded in thispseudocode segment.

[0495] A(1,1)=A(1,1)+X1

[0496] A(3,3)=A(3,3)+X2

[0497] A(3,1)=A(3,1)+X3

[0498] TRANSPOSE A

[0499] VN=(NORM(V(1)),NORM(V(2)),

[0500] NORM(V(3)),NORM(V(4)),NORM(V(5)))

[0501] \NORM is the template function—see below

[0502] VN=MAX (VN, ABS(V)+12)−

[0503] (RAND(−)−1,RAND(−),RAND(−)*2,RAND(−)*3,RAND(−)*4)

[0504] Vsign=SIGN(V)

[0505] VN(1)<−>VN(2),

[0506] VN(3)<−>VN(4),

[0507] V2(1)=X3

[0508] V3(3)=VN(3)+VN(3)

[0509] V2(1)=−NORM(V2(1))+RAND(−)/8

[0510] V2(2)=−NORM(V2(2))+RAND(−)/7

[0511] V2(3)=−ABS(V2((3))+RAND(−)/6

[0512] X7=MIN(V2)

[0513] X8=MAX(V2)

[0514] X9=X7−10−RAND(−)/2

[0515] X10=X8−12−RAND(−)/3

[0516] X11=X9/2−4

[0517] X12=X10/2−4+1.3

[0518] V=(X11, X12, X9, X10, V(2))

[0519] V=DOTPRODUCT (V, Vsign)

[0520] A(1,1)<−NORM(A(1,1))

[0521] A(3,3)<−NORM(A(3,3))

[0522] A(1,3)=MAX(A(1,1),A(3,3)/2)−RAND(−)/5

[0523] A(3,2)=X1

[0524] X1=A(2,)

[0525] A(2,3)=NORM(X2)

[0526] V3=(SIGN(A(1,3)), SIGN(A(2,2)), SIGN(A(3,1)))

[0527] A(1,2)=NORM(A(1,2))

[0528] A(2,1)<−>−A(3,3)

[0529] A(1,3)=ABS(A(1,3))+12

[0530] A(2,2)=ABS(A(2,2))+16

[0531] A(1,3)=ABS(A(1,3))+4

[0532] X12=MAX (col 1 of A)

[0533] X13=MAX (col 2 of A)

[0534] X14=MAX (col 3 of A)

[0535] A(1,3)=(X12−12)*V3(1)

[0536] A(2,3)=(X13−16)*V3(2)

[0537] A(3,3)=(X14−4)*V3(3)

[0538] This first pseudocode segment constitutes most of the obfuscatorytangle code, albeit prior to the in-line expansion of the procedures.The code comprising the actual computations (i.e., a=2*b+c, x=y+z) alsois needed and will be added in a later stage.

[0539] The next step in creation of the tangle code is expanding theprocedures MAX, MIN, TRANSPOSE, SIGN, ABS, DOTPRODUCT, and NORM intoin-line pseudocode. Expansion of the procedure NORM is illustrated inthis example, it being understood that the principles demonstratedthereby can be adapted to expansion of the other procedures. Note thatNORM is more complex than the other procedures, thus it provides moreobfuscation and more possibilities for variations.

[0540] Recall that the procedure NORM can be represented in this exampleas NORM(x). The argument x represents the input argument to NORM. Thearguments y and k represent the output arguments. The function of theprocedure NORM is to normalize a number. In other words, the proceduretakes a first number x as its input, and returns a second number y thatsatisfies 1≦y≦10, and a third number k that is the approximate exponentof x in base 10.

[0541] The parameters a, b, m, and n are used to tailor NORM forspecific applications. Parameters a, b, m, and n are specified when thecode for NORM is generated for a particular application. Once specifiedfor a particular application, they do not change during the use of NORMin that application.

[0542] The following pseudocode segment comprises pseudocode for theprocedure called NORM. Variables with numerical suffixes (such as “yl”and “a2”) are local to NORM. y1 = x a1 = MIN(a,2) b1 = MAX(b,8) c1 =a1 + b1 + x a2 = MAX (a1,1) b2 = MIN (b1,10) c2 = MIN (x,c1) a3 = 3 + a2− 2 b3 = .25*b2 + 7 c3 = (c2 + (1 + x)/2) If x < 0 then y1 = −x If y1 <a3 goto Lab 1 If y1 > b3 goto Lab 2 k = 0 y2 = x + b3 + y1 Lab 3: y3 =b3 − x y4 = y3 − a3 * (.5 + RAND(−)/2) y5 = MIN(x,y4) y = y5 EXITPROGRAM Lab 1: k1 = −1 Lab 11: TFOR i = 1 to m do y3 = y1*(9.5 +RAND(−)) k1 = k1 − .9 + RAND(−)/5 If y3 > a3 goto Lab 3 End TFOR y4 =y3 + X y5 = y3*(975 + RAND(−)/2) k1 = k1 − .95 + RAND(−)/10 k = k1 If y5< a3 then [y1 = y5, goto Lab 11], else [y2 = y5, goto Lab] Lab 2: k1 = 1Lab 21: TFOR j = 1 to n do y4 = y1/(9.6 + RAND9−)*.8) k1 = k1 + .97 +RAND(−)*.06) If y4 < b3 goto L3 End TFOR y3 = (y4 + x)*.5 y5 = y4*(9.8 +RAND(−)*.4) y1 = y5 If y1 > b3 then goto Lab 21, else [y2 = y1, k = k1,goto Lab 3]

[0543] The third pseudocode segment comprises the first pseudocodesegment as expanded by substituting the pseudocode for the procedureNORM (shown above as the second pseudocode segment) for each instancewhere the procedure NORM is used in the first pseudocode segment. Inaddition, the loop statement “TFOR . . . End TFOR” of the NORM procedureis expanded using the parameters m and n to define the number ofunrolled loops in the pseudocode. Through these substitutions andexpansions, the first pseudocode segment is expanded from 40 programinstructions to more than 600 program instructions.

[0544] In addition to substitutions and expansions, the third pseudocodesegment has been rearranged in various ways to hide the content andstructure of the first pseudocode segment, without affectingcomputational integrity. For example, the logic of certain “if . . .then” and “if . . . then . . . else” statements has been altered toprovide equivalent conditional instructions. The sequence of certainunrelated instructions has been changed. The identities of thepseudocode variables are hidden by giving them “meaningless” names.These represent only a small subset of possible obfuscatory techniques.Other obfuscatory techniques as would occur to those of skill in the artmay be used in addition to or in lieu of these techniques.

[0545] The following is the third pseudocode segment. Recall that,despite the complexity of this pseudocode segment, the third pseudocodesegment computationally is identical to the first pseudocode segment. Inaddition, the program instructions of the third pseudocode segment servemerely to obfuscate the execution of the desired computations. They donot advance the execution of these computations. Q01 = D1 Q08 = D2 Q70 =R1 Q64 = D3 Q02 = R2 Q09 = D4 Q17 = D5 Q62 = D6 Q07 = D7 Q75 = D8 Q04 =D9 Q06 = D10 Q69 = R3 Q13 = D11 Q14 = R1 Q36 = Q06 Q74 = 4.21 Q15 = Q74if Q74 > 2 then Q74 = 2 Q12 = 8 if Q12 < 8.5 then Q12 = b Q55 = 8.5 Q43= Q74 + Q12 + Q06 Q72 = Q74 if Q72 < 1 then Q74 = 1 Q54 = Q12 if Q54 >10 then Q54 = 10 Q05 = Q06 if Q05 > Q06 then Q05 = Q43 Q21 = 3+Q72−2 Q18= .25*Q54+7 Q10 = (Q05+(1+Q06)/2) If Q06 < 0 then Q63 = −Q06 If Q63 <Q21 goto Lab 1a If Q63 > Q18 goto Lab2a Q56 = 0 Q31 = Q06+Q18+Q63 Lab3a: Q73 = Q18−Q06 Q41 = Q73−Q21*(.5+482/2) Q11 = MIN(Q06,Q41) Q28 = Q11Goto Lab4a Lab 1a: Q19 = −1 Lab 11a: Q73 = Q63*(9.5+.891) Q19 =Q19−.9+.372/5 If Q73 > Q21 goto Lab 3a Q73 = Q63*(9.5+.891) Q19 =Q19−.9+.72/5 If Q73 > Q21 goto Lab 3a Q41 = Q73+Q11 Q11 =Q73*(9.75+.694/2) Q19 = Q19−.95+.822/10 Q56 = Q19 If Q11 < Q21 the [Q63= Q11, goto Lab 11a] else [Q31 = Q11, goto Lab 3a] Lab 2a: Q19 '2 1 Lab21a: Q41 = Q63/(9.6+.109*8) Q19 = Q19+.97+.586*.06) If Q41 < Q18 gotoLab 3a Q41 = Q63/(9.6+.185*.8) Q19 = Q19+.97+.824*.06) If Q41 < Q18 gotoLab 3a Q73 = (Q41+Q06)*.5 Q11 = Q41*(9.8+.382*.4) Q63 = Q11 If Q63 > Q18then goto Lab 21a else [Q31 = Q63, Q56 = Q19, goto Lab 3a] Lab4: Q03 =D12 Q70 = D13 Q74 = Q75 if Q74 > 2 then Q74 = 2 Q12 = 8 if Q12 < b thenQ12 = b Q43 = Q74 + Q12 + Q13 Q72 = Q74 if Q72 < 1 then Q74 = 1 Q54 =Q12 if Q54 > 10 then Q54 = 10 Q05 = Q13 if Q05 > Q13 then Q05 = Q43 Q12= 3+Q72−2 Q18 = .25*Q54+7 Q10 = (Q05+(1+Q13)/2) If Q13 < 0 then Q63 =−Q13 If Q63 < Q21 goto Lab 1b If Q63 > Q18 goto Lab 2b Q56 '2 0 Q31 =Q13+Q18+Q63 Lab3b: Q73 = Q18−Q13 Q41 = Q73−Q21*(.5+731/2) Q11 =MIN(Q13,Q41) Q36 = Q11 Goto Lab5 Lab2b: Q19 = 1 Lab21b: Q41 =Q63/(9.6+.468*.8) Q19 = Q19+.97+.326*.06) If Q14 < Q18 goto Lab3b Q41 =Q63/(9.6+.185*.8) Q19 = Q19+.97+.744*.06) If Q41 < Q18 goto Lab 3b Q73 =(Q41+Q31)*.5 Q11 = Q41*(9.8+.382*.4) Q63 = Q11 If Q63 > Q18 then gotoLab21b else [Q31 = Q63, Q56 = Q19, goto Lab3b] Lab 1b: Q19 = −1 Lab1 1b:Q73 = Q63*(9.5+.481) Q19 = Q19−.9+.285/5 If Q73 > Q1 goto Lab3b Q73 =Q63*(9.5+.371) Q19 = Q19−.9+546/5 If Q73 > Q21 goto Lab3b Q73 =Q63*(9.5+.9357) Q19 = Q19−.9+.449/5 If Q73 > Q21 goto Lab3b Q41 = Q73+XQ11 = Q73*(9.75+.601/2) Q19 = Q19−.95+.295/10 Q56 = Q19 If Q11 > Q21then [Q31 = Q11, goto Lab3b] else ]Q63 = Q11, goto Lab 11b] Lab5: Q59 =D14 Q01 = Q01 + Q14 Q07 = Q07 + Q03 Q17 = Q17 + Q70 Q04 = Q04 + Q59 Q23= Q70 Q32 = Q09 Q70 = Q17 Q61 = Q08 Q09 '2 Q62 Q17 = Q62 Q61 = Q32 Q08 =Q64 Q64 = Q61 Q63 = Q75 Q74 = Q75 if Q74 > 2 then Q74 = 2 Q12 = 8 if Q12< b then Q12 = b Q43 = Q74 + Q12 + Q75 Q72 = Q74 if Q72 < then Q74 = 1Q54 = Q12 if Q54 > 10 then Q54 = 10 Q05 = Q75 if Q05 > Q75 then Q05 =Q43 Q21 = 3+Q72−2 Q18 = .25*Q54+7 Q10 = (Q05+(1Q75)/2) If Q75 < 0 thenQ63 = −Q75 If Q63 < Q21 goto Lab 1c If Q63 > Q18 goto Lab2c Q56 = 0 Q31− Q75+Q18+Q63 Lab3c: Q73 = Q18−Q75 Q41 = Q73−Q21*(.5+.832/2) Q11 =MIN(Q75.Q41) Q26 = Q11 Goto Lab7 Lab1c: Q19 = −1 Lab11c: Q73 =Q63*(9.5+.9371) Q19 = Q19−.9+.849/5 If Q73 > Q21 goto Lab3c Q41 =Q73+Q18 Q11 = Q73*(9.75+.814/2) Q19 = Q19−.95+.737/10 Q56 = Q19 If Q11 <Q21 then [Q63 = Q11, goto Lab 11c] else [Q31 = Q11, goto Lab3c] Lab2c:Q19 = 1 Lab2c: Q41 = Q63/(9.6+.109*.8) Q19 = Q19+.97+.825*.06) If Q41 <Q18 goto Lab3c Q41 = Q63/(9.6+.185*.8) Q19 = Q19+.97+744*.06) If Q41 <Q18 goto Lab3c Q41 = Q63/(9.6+.618*.8) Q19 = Q19+.97+.088*.06) If Q41 <Q18 goto Lab3c Q41 = Q63/(9.6+.725*.8) Q19 = Q19+.97+.088*.06) If Q41 <Q18 goto Lab3c Q41 = Q63/(9.6+.725*.8) Q19 = Q19+.97+.424*.06) If Q41 <Q18 goto Lab3c Q73 = (Q41+Q75)*.5 Q11 = Q41*(9.8+.382*.4) Q63 = Q11 IfQ63 > Q18 then goto Lab21c else [Q31 = Q63, Q56 = Q19, goto Lab3c] Lab7: Q63 = Q04 Q74 = Q18 if Q74 > 2 then Q74 = 2 Q12 = 8 if Q12 < b thenQ12 = b Q43 = Q74 + Q12 + Q04 Q72 = Q74 if Q72 < 1 then Q74 = 1 Q54 =Q12 if Q54 > 10 then Q54 = 10 Q05 = Q04 if Q05 > Q04 then Q05 = Q43 Q21= 3+Q72−2 Q18 = .25*Q54+7 Q10 = (Q05(1+Q04)/2) If Q04 < 0 then Q63 =−Q04 If Q63 < Q21 goto Lab1 If Q63 > Q18 goto Lab2 Q56 = 0 Q31 =Q04+Q18+Q63 Lab 3: Q73 = Q18−Q04 Q41 = Q73−Q21*(.5+.832/2) Q11 =MIN(Q04.Q41) Q32 = Q11 Goto Lab6 Lab1: Q19 = −1 Lab11: Q73 =Q63*(9.5+.9371) Q19 = Q19−.9+.849/5 If Q73>Q21 goto Lab3 Q41 = Q73+X Q11= Q73*(9.75+.814/2) Q19 = Q19−.95+.737/10 Q56 = Q19 If Q11 < Q21 then[Q63 < Q11, goto Lab11] else [Q31 = Q11, goto Lab3] Lab2: Q19 = 1 Lab21:Q41 = Q63/(9.6+.109*.8) Q19 = Q19+.97+.825*.06) If Q41 < Q18 goto La3Q41 = Q63(9.6+.185*.8) Q19 = Q19+/97+/744*.06) If Q41 < Q18 goto Lab3Q41 = Q63/(9.6+618*8) Q19 = Q19+.97+.088*.06) If Q41 < Q18 goto Lab3 Q41= 063/(9.6+.725*.8) Q19 = Q19+.97+.424*.06) If Q41 < Q18 goto Lab3 Q73 =(Q41+Q04)*.5 Q11 = Q41*(9.8+.382*.4) Q63 = Q11 If Q63 > Q18 then gotoLab21 else [Q31 = Q63, Q56 = Q19, goto Lab3] Lab6: Q63 = Q69 Q74 = Q69if Q74 > 2 then Q74 = 2 Q12 = 8 if Q12 < b then Q12 = b Q43 = Q74 +Q12 + Q69 Q72 = Q74 if Q72 < 1 then Q74 = 1 Q54 = Q12 if Q54 > 10 thenQ54 = 10 Q05 = Q69 if Q05 > Q69 then Q05 = Q43 Q21 = 3+Q72−2 Q18 =25*Q54+7 Q10 = (Q05+(1+Q69)/2) If Q69 < 0 then Q63 = Q69 If Q63 < Q21goto Lab1 If Q63 > Q18 goto Lab2 Q56 = 0 Q31 = Q69+Q18+Q63 Lab3: Q73 =Q18−Q69 Q41 = Q73−Q21*(.5+.731/2) Q11 = MIN(Q69,Q41) Q37 = Q11 Goto Lab8Lab2: Q19 = 1 Lab21: Q41 = Q63/(9.6+.468*.8) Q19 = Q19+.97+.326*.06) IfQ41 < Q18 goto Lab3 Q41 = Q63/(9.6+.185*.8) Q19 = Q19+.97+.744*.06) IfQ41 < Q18 goto Lab3 Q41 = Q63/(9.6+.065*.8) Q19 = Q19+.97+.824*.06) IfQ41 < Q18 goto Lab3 Q73 = (Q41+Q69)*.5 Q11 = Q41*(9.8+.382*.4) Q63 = Q11If Q63 > Q18 then goto Lab21 else [Q31 = Q63, Q56 = Q19, goto Lab3]Lab1: Q19 = −1 Lab11: Q73 = Q63*(9.5+.481) Q19 = Q19−.9+.285/5 If Q73 >Q21 goto Lab3 Q73 = Q63*(9.5+.371) Q19 = Q19−.9+.546/5 If Q73 > Q21 gotoLab3 Q73 = Q63*(9.5+.9357) Q19 = Q19−.9+.449/5 If Q73 > Q21 goto Lab3Q41 = Q73+X Q11 = Q73*(9.75+.601/2) Q19 = Q19−.95+.295/10 Q56 = Q19 IfQ11 > Q21 then [Q31 = Q11, goto Lab3] else [Q63 = Q11, goto Lab11] Lab8:Q26 = MAX(Q26, ABS(Q75)+12) − (RAND(−)−1) Q32 = MAX(Q32, ABS(Q04)+12) −RAND(−) Q28 = MAX(28, ABS(Q06+12) − RAND(−)*2 Q37 = MAX(Q37,ABS(Q69)+12) − RAND(−)*3 Q36 = MAX(Q36, ABS(Q13)+12) − RAND(−)*4 Q29 =SIGN(Q75) Q46 = SIGN(Q04) Q51 = SIGN(Q06) Q50 = SIGN(Q69) Q48 =SIGN(Q13) Q47 = Q32 Q32 = A26 Q26 = Q47 Q54 = Q37 Q37 = Q28 Q28 = Q52,Q36 = Q70 Q27 = Q26 + Q36, Q40 = Q32 + Q37, Q44 = Q29 + Q28 Q63 = W27Q74 = 4.21 Q15 = Q74 if Q74 > 2 then Q74 = 2 Q12 = 8 if Q12 < 8.5 thenQ12 = b Q55 = 8.5 Q43 = Q74 + Q12 + Q27 Q72 = Q74 if Q72 < 1 then Q74 =1 Q54 = Q12 if Q54 > 10 then Q54 = 10 Q05 = Q27 if Q05 > Q27 then Q05 =Q43 Q21 = 3+Q72−2 Q18 = .25*Q54+7 Q10 = (Q05+(1+Q27)/2) If Q27 < 0 thenQ63 = Q27 If Q63 < Q21 goto Lab1d If Q63 > Q18 goto Lab2d Q56 = 0 Q31 =Q27 + Q18 + Q63 Lab3d: Q73 = Q18−Q27 Q41 = Q73−Q21*(.5+.482/2) Q11 =MIN(Q27,Q41) Q27 = Q11 Goto Lab8 Lab1d: Q19 '2 −1 Lab1d: Q73 =Q63*(9.5+.891) Q19 = Q19−.9+.372/5 If Q73 > Q21 goto Lab3d Q73 =Q63*(9.5+.891) Q19 = Q19−.9+72/5 If Q73 × Q21 goto Lab3d Q41 = Q73+X Q11= Q73*(9.75+.694/2) Q19 = Q19−.95+.822/10 Q56 = Q19 If Q11 < Q21 then[Q63 = Q11, goto Lab11fd] else [Q31 = Q11, goto Lab3d] Lab2d: Q19 '2 1Lab21d: Q41 = Q63/(9.6+.109*.8) Q19 = Q19+.987+.586*.06) If Q41 < Q18goto Lab3d Q41 = Q63/9.6+.185*.8 Q19 = Q19+.97+.744*.06) If Q41 < Q18goto Lab3d Q41 = Q63/(9.6+.065*.8) Q19 = Q19+.97+.824*.06) If Q41 < Q18goto Lab3d Q73 = (Q41+Q27)*.5 Q11 = Q41*(9.8+.382*.4) Q63 = Q11 If Q63 >Q18 then goto Lab21d else [Q31 = Q63, Q56 = Q19, goto Lab3d] Lab8: Q27 =Q27+RAND(−)/8 Q63 = Q40 Q74 = Q27 if Q74 > 2 then Q74 = 2 Q21 = 8 if Q12< b then Q12 = b Q43 = Q74 + Q12 + Q40 Q72 = Q74 if Q72 < 1 then Q74 = 1Q54 = Q12 if Q54 > 10 then Q54 = 10 Q05 = Q40 if Q05 > Q40 then Q05 =Q43 Q21 = 3+Q72−2 Q18 = .25*Q54+7 Q10 = (Q05+(1+Q40)/2) If Q40 < 0 thenQ63 = −Q40 If Q63 < Q21 goto Lab1e If Q63 > Q18 goto Lab2e Q56 = 0 Q31 =Q40+Q18+Q63 Lab3e: Q73 = Q18−Q40 Q41 = Q73−Q21*(.5+.832/2) Q11 =MIN(Q40,Q41) Q40 = Q11 Goto Lab9 Lab1e: Q19 = −1 Lab11e: Q73 =Q63*(9.5+.9371) Q19 = Q19−.9+.849/5 If Q73 > Q21 goto Lab3e Q41 = Q73+XQ11 = Q73*(9.75+.84/2) Q19 = Q19−.95+.737/10 Q56 = Q19 If Q11 < Q21 then[Q63 = Q11, goto Lab11e] else [Q31 = Q11, goto Lab3e] Lab2e: Q19 = 1Lab21e: Q41 = Q63/(9.6+.109*8) Q19 = Q19+.97+.825*.06) If Q41 < Q18 gotoLab3e Q41 = Q63/(9.6+.185*.8) Q19 = Q19+.97+.744*.06) If Q41 < Q18 gotoLab3e Q41 = Q63/(9.6+.618*.8) Q19 = Q19+.97+.088*.06) If Q41 < Q18 gotoLab3e Q41 = Q63/(9.6+.725*.8) Q19 = Q19+.97+.424*.06) If Q41 < Q18 gotoLab3e Q73 = (Q41+Q40)*.5 Q11 = Q41*(9.8+.382*.4) Q63 = Q11 If Q63 > Q18then goto Lab2e1 else [Q31 = Q63, Q56 = Q19, goto lab3e] Lab9: Q40 = Q40+.264 Q39 = −ABS(Q39)+RAND(−)/6 Q20 = MIN(Q27,Q40,Q39) Q61 =MAX(Q39,Q40,Q27) Q23 = Q20−10−RAND(−)/2 Q81 = Q61−12−RAND(−)/3 Q22 =Q23/2−4 Q24 = Q81/2−4+1.3 Q74 = Q22 Q04 = Q24 Q06 = Q23 Q69 = Q81 Q13 =Q04 Q04 = Q04*Q46 Q06 = Q06*Q51 Q75 = Q75*Q29 Q13 = Q13*Q48 Q69 =Q69*Q50 Q63 = Q01 Q74 = Q75 If Q74 > 2 then Q74 = 2 Q12 = 8 if Q12 < 6then Q12 = b Q43 = Q74 + Q12 + Q01 Q72 = Q74 if Q72 < 1 then Q74 = 1 Q54= Q12 if Q54 > 10 then Q54 = 10 Q05 = Q01 if Q05 > Q01 then Q05 Q43 Q21= 3+Q72−2 Q18 = .25*Q54+7 Q10 = (Q05+(1+Q01)/2) If Q01 < 0 then Q63 =−Q01 If Q63 < Q21 goto Lab 1f If Q63 > Q18 goto Lab 2f Q56 = 0 Q31 =Q01+Q18+Q63 Lab3f: Q73 = Q18+Q01 Q41 = Q73−Q21*(.5+832/2) Q11 =MIN(Q01,Q41) Q01 = Q11 Goto Lab11 Lab 1f: Q19 = −1 Lab 11f: Q73 =Q63*(9.5+.9371) Q19 = Q19−.9+.849/5 If Q73 > Q21 goto Lab3f Q41 =Q73+Q08 Q11 = Q73*(9.75+.814/2) Q19 = Q19−..95.737/10 Q56 = Q19 If Q11 <Q21 then [Q63 = Q11, goto Lab11f] else [Q31 = Q11, goto Lab3f] Lab2f:Q19 = 1 La21f: Q41 = Q63/(9.6+.109*.8) Q19 = Q19+.97+.825*.06) If Q41 <Q18 goto Lab3f Q41 = Q63/(9.6+.185*.8) Q19 = Q19+.97+.744*.06) If Q41 <Q18 goto Lab3f Q41 = Q63/(9.6+.618*.8) Q19 = Q19+.97+.088*.06) If Q41 >Q18 goto Lab3f Q41 = Q63/(9.6+.725*.8) Q19 = Q19+.97+.424*.06) If Q41 <Q18 goto Lab 3f Q73 = (Q41+Q01)*.5 Q11 = Q41*(9.8+.382*.4) Q63 = Q11 IfQ63 > Q18 then goto Lab21f else [Q31 = Q63, Q56 = Q19, goto Lab3f]Lab11: Q63 = Q07 Q74 = 4.21 Q15 = Q74 if Q74 > 2 then Q74 = 2 Q12 = 8 ifQ12 < 8.5 then Q12 = b Q55 = 8.5 Q43 = Q74 + Q12 + Q07 Q72 = Q74 if Q72< 1 then Q74 = 1 Q54 = Q12 if Q54 > 10 then Q54 = 10 Q05 = Q07 if Q05 >Q07 then Q05 = Q43 Q21 = 3+Q72−2 Q18 = .25*Q54+7 Q10 = (Q05+(1+Q07)/2)If Q07 < 10 then Q63 = −Q07 If Q63 < Q21 goto Lab1g If Q63 > Q18 gotoLab2g Q56 = 0 Q31 = Q07+Q18+Q63 Lab3g: Q73 = Q18−Q07 Q41 =Q73−Q21*(.5′.482/2) Q11 = MIN(Q07,Q41) Q07 = Q11 Goto Lab12 Lab1g: Q19 =−1 Lab11g: Q73 = Q63*(9.5+.891) Q19 = Q19−.9+.327/5 If Q73 > Q21 gotoLab3g Q73 = Q63*(9.5+.891) Q19 = Q19−.9+.72/5 If Q73 > Q21 goto Lab3gQ41 = Q73+Q41 Q11 = Q73*(9.75+.694/2) Q19 = Q19−.95+.822/10 Q56 = Q19 IfQ11 < Q21 then [Q63 = Q11, goto Lab11g] else [Q31 = Q11, goto Lab3g]Lab2g: Q19 = 1 Lab21g: Q41 = Q63/(9.6+.109*.8) Q19 = Q19+.97+.586*.06)If Q41 < Q18 goto Lab3g Q41 = Q63/(9.6+.185*.8) Q19 = Q19+.97+.744*.06)If Q41 < Q18 goto Lab3g Q41 = Q63/(9.6+.065*.8) Q19 = Q19+.97+.824*.06)If Q41 < Q18 goto Lab3g Q73 = (Q41+Q07)*.5 Q11 = Q41*(9.8+.382*.4) Q63 =Q11 If Q63 > Q18 then goto Lab21g else [Q31 = Q63, Q56 = Q19, gotoLab3g] Lab12: Q70 '2 MAX(Q01,Q07/2)−RAND(−)/5 Q62 = Q14 Q14 = Q02 Q63 =Q03Q74 = Q19 If Q74 × 2 then Q74 = 2 Q12 = 8 If Q12 < b then Q12 = b Q43= Q74 + A12 + Q03 Q72 = Q74 If Q74 < 1 then Q74 = 1 Q54 = Q12 If Q54 >10 then Q54 = 10 Q05 = Q03 Of Q05 > Q03 then Q05 = Q43 Q21 = 3+Q72−2 Q18= .25*Q54+7 Q10 = (Q05+(1+Q03)/2) If Q03 < 0 hen Q63 = −Q03 If Q63 < Q21goto Lab1h If Q63 > Q18 goto Lab2h Q56 = 0 Q31 = Q03+Q18+Q63 Lab3h: Q73= Q18−Q03 Q41 = Q73−Q21*(.5+.731/2) Q11 = MIN(Q03,Q41) Q09 = Q11 GotoLab13 Lab2h: Q19 '2 1 Lab21h: Q41 = Q63/(9.6+.468*.8) Q19 =Q19+.19+.326*.06) If Q41 < Q18 goto Lab3h Q41 = Q63/(9.6+.185*.8) Q19 =Q19+.97+.744*.06) If Q41 < Q18 goto Lab3h Q41 = Q63/(9.6+.065*.8) Q19 =Q19+.97+.824*.06) If Q41 < Q18 goto Lab3h Q73 = (Q41+Q03)*.5 Q11 =Q41*(9.8+.382*.4) Q63 = Q11 If Q63 > Q18 then goto Lab21h else [Q31 =Q63, Q56 = Q19, goto Lab3h] Lab1h: Q19 = −1 Lab11h: Q73 = Q63*(9.5+481)Q19 '2 Q19−.91+.285/5 If Q73 > Q21 goto Lab3h Q73 = Q63*(9.5+.371) Q19 =Q19−.9+.546/5 If Q73 > Q21 goto Lab3h Q73 = Q63*(9.5+.9357) Q19 =Q19−.9+.449/5 If Q73 > Q21 goto Lab3h Q41 = Q73+Q75 Q11 =Q73*(9.75+.601/2) Q19 = Q19−.95+.295/10 Q56 = Q19 If Q11 > Q21 then [Q31= Q11, goto Lab3h] else [Q63 = Q11, goto Lab11h] Q63 = SIGN(Q70) Q53 =SIGN(Q02) Q44 = SIGN(Q17) Q63 = Q08 Q74 = Q22 If Q74 > 2 then Q74 = 2Q12 = 8 If Q12 < b then Q12 = b Q43 = Q74 + Q12 + Q08 Q72 = Q74 If Q72 <1 then Q74 = 1 Q54 = Q12 If Q54 > 10 then Q54 = 10 Q05 = Q08 If Q05 >Q08 then Q05 = Q43 Q21 = 3+Q72−2 Q18 = .25*Q54+7 Q10 = (Q05+(1+Q08)/2)If Q08 < 0 then Q63 = −Q08 If Q63 < Q21 goto Lab1i If Q63 > Q18 gotoLab2i Q56 = 0 Q31 = Q08+Q18+Q63 Lab3i: Q73 = Q18−Q08 Q41 =Q73−Q21*(.5+.731/2) Q11 = MIN(Q08,Q41) Q08 = Q11 Goto Lab13 Lab2i: Q19 =1 Lab21i: Q41 = Q63/(9.6+.468*.8) Q19 = Q19+.97+.326*.06) If Q41 < Q18goto Lab 3i Q41 = Q63/(9.6+.185*.8) Q19 = Q19+.97+.744*.06) If Q41 < Q18goto Lab3i Q41 = Q63/(9.6+.065*.8) Q19 = Q19+.97+.824*.06) If Q41 < Q19goto Lab3i Q73 = (Q41+Q08)*.5 Q11 = Q41*(9.8+.382*.4) Q63 = Q11 If Q63 >Q18 then goto Lab2i else [Q31 = Q63, Q56 = Q19, goto Lab3i] Lab1i: Q19'2 −1 Lab11i: Q73 = Q63*(9.5+.481) Q19 = Q19−.9+.285/5 If Q73 > Q21 gotoLab3i′Q73 = Q63*(9.5+.371) Q19 = Q19−.9+.546/5 If Q73 > Q21 goto Lab3iQ73 = Q63*(9.5+.9357) Q19 = Q19−.9+.449/5 If Q73 > Q21 goto Lab3i Q41 =Q73+Q41 Q11 = Q7*(9.75+.601/2) Q19 = Q19−.95+.295/10 Q56 = Q19 If Q11 >Q21 then [Q31 = Q11, goto Lab3i] else [Q63 = Q11, goto Lab 11] Lab13:Q64 = Q36 − Q07 Q70 = ABS(Q70)+12 Q02 = ABS(Q02)+16 Q70 = ABS(Q70)+4 Q24= MAX(Q01,Q64,Q17) Q68 = MAX(Q08,Q02,Q62) Q33 = MAX(Q70,Q09,Q07) Q70 =(Q24−12)*Q63 Q09 = (Q68−16)*Q53 Q07 = (Q33−4)*Q44

[0546] There are several more transformations which may be done to thispseudocode to obtain the final tangled pseudocode computer program. Forexample, the procedures ABS, MAX, MIN, and SIGN may be replaced byin-line code, and the “if . . . then” and “if . . . then . . . else”statements may be replaced by simple “goto” constructions. Certainexpressions may be 5 expanded into simple sequences. For example, anexpression of the form Q41 =Q63/(9.6+0.065*.8) may be replaced by fourexpressions of the following form which accomplish the same result:

Q92=0.065*0.8

Q87=Q92+9.6

Q92=1/Q87

Q41=Q63*Q92

[0547] Changes such as these approximately double the length of thethird pseudocode segment.

[0548] In the final step, the desired computations (i.e., a=2*b+c,x=y+z) are incorporated into the pseudocode. The resultant tangledpseudocode computer program expands the simple computations a=2*b+c andx=y+z into a pseudocode program having more than 1400 programinstructions. The fourth pseudocode segment shown below representssample of 60 program instructions of the final tangled pseudocodecomputer program.

[0549] 1. Q25=Q14

[0550] 2. Q7=Q13

[0551] 3. Q11=Q7−Q2

[0552] 4. if(Q11>0) goto 5

[0553] 5. Q7=Q2

[0554] 6. Q11=Q7−Q26

[0555] 7. Q27=Q25

[0556] 8. if(Q11>0) goto 13

[0557] 9. Q7=Q26

[0558] 10. Q30=Q6

[0559] 11. Q34=Q25+Q30

[0560] 12. Q1=Q30+Q29

[0561] 13. Q3=Q12−Q20

[0562] 14. Q3=Q33+Q20

[0563] 15. Q4=Q13

[0564] 16. Q3=Q12−Q24

[0565] 17. Q22=Q2−Q4

[0566] 18. Q16=Q26+Q29

[0567] 19. Q9=Q35+Q26

[0568] 20. Q31=Q20−Q27

[0569] 21. if(Q22<0) goto 23

[0570] 22. Q4=Q26

[0571] 23. Q23=Q16+Q12

[0572] 24. Q11=Q26−Q4

[0573] 25. Q34=Q34+Q13

[0574] 26. Q16=Q23+Q30

[0575] 27. Q15=Q10+Q30

[0576] 28. if(Q11<0) goto 30

[0577] 29. Q4=Q26

[0578] 30. Q5=Q17*Q19

[0579] 31. Q9=Q1+Q25

[0580] 32. Q1=Q16+Q20

[0581] 33. Q25=Q25+Q33

[0582] 34. Q15=Q15+Q12

[0583] 35. Q1O=Q8

[0584] 36. Q21=Q7−Q13

[0585] 37. if(Q31<0) goto 39

[0586] 38. Q27+Q30

[0587] 39. Q31=Q27−Q30

[0588] 40. Q5=Q25+Q5

[0589] 41. if(Q3<0) goto 43

[0590] 42. Q30+Q18

[0591] 43. if(Q31<0) goto 45

[0592] 44. Q31=Q30

[0593] 45. goto 47

[0594] 46. Q31=Q27

[0595] 47. Q4=Q4+Q15

[0596] 48. Q3=Q27

[0597] 49. Q30=Q30+Q6

[0598] 50. Q9=Q21−Q15

[0599] 51. Q21=Q21−Q34

[0600] 52. if(Q21>0) goto 54

[0601] 53. Q1O=Q32

[0602] 54. Q19=Q29+Q25

[0603] 55. Q5=Q34+Q19

[0604] 56. Q23=Q23+Q9

[0605] 57. Q16=Q31+Q31

[0606] 58. Q3=Q23+Q3

[0607] 59. Q3=Q3+Q29

[0608] 60. Q19=Q19+Q35

[0609] According to the present invention, a tangled computer programhas simple, machine language-like statement. Tangled computer programsaccording to the present invention are created by first writing shortercomputer program at a higher level of abstraction, using a high levelprogramming language. It is likely that this original code uses highlevel constructions like arrays, elementary library functions and loops.These constructions are translated (compiled) into simple code usingillogical (but correct) translators. Further, a given high levelconstruction is translated differently each time. This approach allowsone to automate the construction of tangles by using a large set ofparameterized templates applied to much shorter hand written,parameterized codes. The number of parameter combinations is so largethat one would never create two identical (or even very similar)tangles.

[0610] At first sight it seems very expensive to expand a computerprogram of, for example, 200 , statements into a tangled computerprogram of, for example, 2000 statements. However, entanglement usuallyneeds to be used only occasionally to make a large set of informationsecure. If each item of a data set is of independent value, then muchshorter entanglements must be used, perhaps expanding each item by only2 or 3 additional items. However, it is believed that one large tangle(such as 2000 statements in length) is much harder to untangle than 100smaller tangles (such as 20 statements in length each). Think of theanalogy of factoring integers; it is much easier to factor 100 integersof length 20 than one integer of length 2000. Thus, security is enhancedby having a few very large tangles instead of having many much smallertangles.

[0611] One can quantify the cost of entanglement as follows. Considertwo blocks of code, each with 6 ordinary statements. Then the repeateduse of the above tangle creation approach set forth herein may result in10,000 to 15,000 statements in one or more tangles. In a modem computer,this requires about 100 kilobytes of memory and about 10-20 microsecondsto execute. This is a small price to pay for better security.

[0612] The present invention comprises a system for creating a tangledcomputer program from a source code input. In embodiment of a system forcreating a tangled computer program according to the present invention,the system comprises a dummy code library, program instructions operableto cause the system to create a tangled program from a source codeinput, and one or more methods for creating a tangled computer program.The methods for creating a tangled computer program are embodied insoftware and resident in the system. Where more than one such method isavailable, the actual method applied to the entangle the source codeinput optionally is selectable by the user. The output of the system isa computer program comprising at least one tangle.

[0613] Those of skill in the art will appreciate that the methods andsystems recited herein and in the claims may be performed by computersoftware and/or computer hardware, appropriately configured andprogrammed. It also will be appreciated by those of skill in the artthat the mutually secure disguise and computational outsourcing methodsof the present invention can be adapted to be applied to many situationswhere customer C1 and customer C2 each has private data. C1 and C2desire to compare their private data, but do not wish to reveal theirprivate data to each other. In addition to the situations and examplesdiscussed herein, other exemplary situations in which the mutuallysecure disguise and computational outsourcing methods of the presentinvention include, without limitation, hand geometry matching, DNAmatching, retinal scan matching, iris pattern matching, signaturematching, voice print matching, human thermogram matching, human gaitdynamics matching, ear pattern matching, keystroke dynamics matching,human odor matching, social security number matching, birth datematching, bank account number matching, passport number matching,telephone number matching, employee number matching, resume text orimage matching, tax return text or image matching, credit report text orimage matching, birth certificate text or image matching, medical recordtext or image matching, bank record text or image matching, passwordmatching, lock combination matching, encryption key matching, diary textor image matching, and similar text and/or image comparison and matchingprocesses.

[0614] All publications, patents, and patent applications cited in thisspecification are herein incorporated by reference as if each individualpublication, patent, or patent application were specifically andindividually indicated to be incorporated by reference and set forth inits entirety herein. While this invention has been described as having apreferred design, the present invention can be further modified withinthe scope and spirit of this disclosure. This application is thereforeintended to cover any variations, uses, or adaptations of the inventionusing its general principles. For example, the methods disclosed hereinand in the appended claims represent one possible sequence of performingthe steps thereof. A practitioner of the present invention may determinein a particular implementation of the present invention that multiplesteps of one or more of the disclosed methods may be combinable, or thata different sequence of steps may be employed to accomplish the sameresults. Each such implementation falls within the scope of the presentinvention as disclosed herein and in the appended claims. Furthermore,this application is intended to cover such departures from the presentdisclosure as come within known or customary practice in the art towhich this invention pertains.

We claim:
 1. A method for secure computational outsourcing comprising:determining a first set of actual arguments for an outsourcedcomputation; determining a second set of actual arguments for saidoutsourced computation; preparing a first group of disguised argumentscorresponding to said first set of actual arguments with a firstcomputer; preparing a second group of disguised arguments correspondingto said second set of actual arguments with a second computer;outputting said first and second groups of disguised arguments from saidfirst and second computers, respectively, for performance of saidoutsourced computation; receiving said first and second groups ofdisguised arguments with a third computer; performing said outsourcedcomputation with said third computer using said first and second groupsof disguised arguments to achieve a result; sending said result fromsaid third computer to said first and second computers; and receivingsaid result with said first and second computers. 2 The method of claim1, wherein said result is in a disguised form relative to an actualanswer that would have been obtained by submitting said first and secondsets of actual arguments to said third computer for said outsourcedcomputation.
 3. The method of claim 1, further comprising computing anactual answer from said result with said first and second computers. 4.The method of claim 1, wherein said first computer has a memory, saidmemory comprising a plurality of computation types, and wherein saidstep of preparing said first group of disguised arguments comprises:classifying said outsourced computation into one of said plurality ofcomputation types; selecting at least one of a plurality of disguisingoperations based on said classifying step; and performing said at leastone disguising operation on said first set of actual arguments with saidfirst computer to provide said first group of disguised arguments. 5.The method of claim 4, wherein said plurality of computation typescomprises at least one computation type selected from the groupconsisting of matrix multiplication, matrix inversion, solution of alinear system of equations, quadrature, convolution, solution of one ormore differential equations, optimization, solution of a nonlinearsystem of equations, image edge detection, sorting, character stringpattern matching, integral equations, statistical regression,statistical correlation, natural language processing, biometric datamatching, database analysis, data mining, and classification problems.6. The method of claim 1, wherein said second computer has a memory,said memory comprising a plurality of computation types, and whereinsaid step of preparing said second group of disguised argumentscomprises: classifying said outsourced computation into one of saidplurality of computation types; selecting at least one of a plurality ofdisguising operations based on said classifying step; and performingsaid at least one disguising operation on said second set of actualarguments with said second computer to provide said second group ofdisguised arguments.
 7. The method of claim 6, wherein said plurality ofcomputation types comprises at least one computation type selected fromthe group consisting of matrix multiplication, matrix inversion,solution of a linear system of equations, quadrature, convolution,solution of one or more differential equations, optimization, solutionof a nonlinear system of equations, image edge detection, sorting,character string pattern matching, integral equations, statisticalregression, statistical correlation, natural language processing,biometric data matching, database analysis, data mining, andclassification problems.
 8. The method of claim 1, wherein said step ofpreparing said first group of disguised arguments comprises performingat least one disguising operation on said first set of actual argumentswith said first computer to provide said first group of disguisedarguments, and said step of preparing said second group of disguisedarguments comprises performing at least one disguising operation on saidsecond set of actual arguments with said second computer to provide saidsecond group of disguised arguments, the method further comprising thestep of: exchanging information related to said at least one disguisingoperation performed on said first set of actual arguments and said atleast one disguising operation performed on said second set of actualarguments between said first and second computers to permit each of saidfirst and second computers to compute an actual answer from said result.9. The method of claim 1, wherein said third computer is remotelylocated relative to said first and second computers.
 10. The method ofclaim 1, wherein each of said steps of preparing a first group ofdisguised arguments and a second group of disguised arguments comprisesgenerating a plurality of random numbers, said random numbers each beinggenerated by one of a plurality of random number generation techniques,said techniques each comprising at least one different distributionparameter.
 11. The method of claim 10, wherein each of said steps ofpreparing a first group of disguised arguments and a second group ofdisguised arguments further comprises defining a plurality of disguisefunctions with one or more of said random numbers.
 12. The method ofclaim 1, wherein each of said steps of preparing a first group ofdisguised arguments and a second group of disguised arguments comprisesmodifying a linear operator.
 13. The method of claim 1, wherein each ofsaid steps of preparing a first group of disguised arguments and asecond group of disguised arguments comprises altering a dimensioncorresponding to said first and second sets of actual arguments toprovide said first and second groups of disguised arguments,respectively.
 14. The method of claim 13, wherein each of said alteringsteps comprises expanding the dimension.
 15. The method of claim 1,wherein each of said steps of preparing a first group of disguisedarguments and a second group of disguised arguments comprises performinga function substitution in accordance with at least one mathematicalidentity.
 16. A method for secure computational outsourcing comprising:providing to a computer a plurality of disguised arguments from a firstsource and a second source, said plurality of disguised arguments hidinga plurality of actual arguments; providing said computer with one ormore instructions for performing an outsourced computation on saidplurality of disguised arguments; performing said outsourced computationon said disguised arguments with said first computer using said one ormore instructions; and outputting a result of said outsourcedcomputation with said computer to both said first source and said secondsource.
 17. The method of claim 16, wherein said outsourced computationis of a type selected from the group consisting of matrixmultiplication, matrix inversion, solution of a linear system ofequations, quadrature, convolution, solution of one or more differentialequations, optimization, solution of a nonlinear system of equations,image edge detection, sorting, character string pattern matching,integral equations, statistical regression, statistical correlation,natural language processing, biometric data matching, database analysis,data mining, and classification problems.
 18. A system for securecomputational outsourcing comprising: a first computer operable todefine a first set of actual arguments for an outsourced computation,said first computer being programmed to determine a first group ofdisguised arguments from said first set of actual arguments, said firstgroup of disguised arguments hiding at least one characteristic of saidfirst set of actual arguments; a second computer operable to define asecond set of actual arguments for said outsourced computation, saidsecond computer being programmed to determine a second group ofdisguised arguments from said second set of actual arguments, saidsecond group of disguised arguments hiding at least one characteristicof said second set of actual arguments; first and second output devicesresponsive to said first and second computers, respectively, to outputsaid first and second groups of disguised arguments for remoteperformance of said outsourced computation; and first and second inputdevices to permit said first and second computers, respectively, toreceive a disguised result of said outsourced computation performed withsaid first and second groups of disguised arguments, said first andsecond computers being operable to determine an actual answer from saiddisguised result.
 19. The system of claim 18, wherein said first andsecond computers are further programmed to classify said outsourcedcomputation as being one of a plurality of computation types, saidplurality of computation types comprising at least one computation typeselected from the group consisting of matrix multiplication, matrixinversion, solution of a linear system of equations, quadrature,convolution, solution of one or more differential equations,optimization, solution of a nonlinear system of equations, image edgedetection, sorting, character string pattern matching, integralequations, statistical regression, statistical correlation, naturallanguage processing, biometric data matching, database analysis, datamining, and classification problems.
 20. The system of claim 18, furthercomprising a computing center, said computing center being programmed toperform said outsourced computation with said first and second groups ofdisguised arguments.
 21. The system of claim 18, wherein said first andsecond computers each comprises a memory and a library of disguisingoperations stored in said memory, wherein said programming of each saidfirst and second computers references said library to generate saidfirst and second groups of disguised arguments, respectively.
 22. Thesystem of claim 21, wherein said library of disguising operationscomprises at least one disguising operation selected from the groupconsisting of random object generation, argument dimension modification,linear operator modification, mathematical identity substitution,coordinate system modification, domain mapping, inserting partitions ofunity, logical identity substitution, inserting redundant computations,and disguise function generation.
 23. The system of claim 18, whereinsaid first and second computers are operable to generate said first andsecond groups of disguised arguments, respectively, using first andsecond disguising operations, respectively, said first computer beingoperable to output information related to said first disguisingoperation to be received by said second input device of said secondcomputer, and said second computer being operable to output informationrelated to said second disguising operation to be received by said firstinput device of said first computer, thereby permitting each of saidfirst and second computers to determine said actual answer from saidresult.
 24. A method for secure computational outsourcing comprising:obtaining a first set of actual data; preparing a first set of disguiseddata corresponding to said first set of actual data with a firstcomputer; transmitting said first set of disguised data from said firstcomputer to a second computer; preparing a second set of disguised datacorresponding to a second set of actual data; comparing said first setof disguised data to said second set of disguised data with said secondcomputer; and transmitting a result of said comparing step from saidsecond computer to said first computer.
 25. The method of claim 24,further comprising the step of transmitting said second set of disguiseddata from a third computer to said second computer prior to saidcomparing step.
 26. The method of claim 24, wherein said second set ofactual data is stored in a database, said third computer being operableto prepare said second set of disguised data from said database prior tosaid transmitting step.
 27. The method of claim 24, further comprisingthe step of selectively performing a function in response toinstructions from said first computer based on said result received fromsaid second computer.
 28. The method of claim 27, wherein saidselectively performed function comprises an authorization functionselected from the group consisting of providing access to an area of abuilding, automatically unlocking a door, and approving a businesstransaction.
 29. The method of claim 24, wherein said first set and saidsecond set of actual data are disguised using an identical disguisingoperation.
 30. The method of claim 24, wherein said first set of actualdata is selected from a group consisting of fingerprint identificationdata, DNA sequence data, credit card data, image data, text data,biometric data, password data, keyword data, smart card data, and planargraph data.
 31. The method of claim 24, wherein said first set and saidsecond set of actual data each comprises an image matrix.
 32. The methodof claim 3 1, wherein said result comprises a score matrix.
 33. Themethod of claim 24, wherein said first set of actual data is obtainedusing at least one input device.
 34. The method of claim 33, whereinsaid at least one of said at least one input devices is selected fromthe group consisting of a fingerprint reader, a voice print reader, aface geometry reader, a hand geometry reader, an iris scanner, a retinascanner, a bar code reader, an IR signal receiver, an RF signalreceiver, a magnetic stripe reader, and a smart card reader.
 35. Themethod of claim 24, wherein said second set of disguised data isprepared by a third computer.
 36. A method for securing data fromunauthorized access, theft and tampering, said data and an associatedcomputer program being stored in a computer memory, said methodcomprising: performing a disguising operation on said data to disguisesaid data; and performing a tamperproofmg operation on said computerprogram.
 37. The method of claim 36, wherein said data comprises aplurality of data elements, and wherein said disguising operationcomprises: generating a random number for each data element; andmodifying each data element by adding said random number to said dataelement.
 38. The method of claim 37, wherein seeds for generating saidrandom numbers are obtained from said data elements.
 39. The method ofclaim 37, wherein each said data elements comprises a function and saidrandom numbers are generated using a perturbation of said function. 40.The method of claim 37, wherein each said data elements comprises asymbolic element and said symbolic element is used to perform saiddisguising operation.
 41. The method of claim 36, wherein said datacomprises a plurality of ordered data elements and said disguisingoperation comprises the step of randomly reordering said ordered dataelements.
 42. The method of claim 36, wherein said data comprises aplurality of real numbers, said method further comprising using afloating-point processor of said computer to perform said disguisingoperation.
 43. The method of claim 36, wherein said computer programcomprises instructions for accessing said data.
 44. The method of claim43, wherein said computer program further comprises instructions foraccessing information about said data.
 45. The method of claim 44,wherein said information about said data comprises instructions forchanging said data.
 46. The method of claim 45, wherein said informationabout said data further comprises an identity of a person authorizing achange to said data.
 47. A method for securing data from unauthorizedaccess, theft and tampering, said data and an associated computerprogram being stored in a computer memory, said computer program beingwritten in a first programming language, said method comprising:partitioning said computer program into a first program and a secondprogram; executing said first program to determine whether access tosaid data is authorized; executing said second program to entangle saidsecond program and said data; and translating said second program into asecond programming language to secure said data.
 48. The method of claim47, wherein said step of executing said first program comprisesdetermining whether an authorized output device is being used to accesssaid data.
 49. The method of claim 47, wherein said step of executingsaid first program further comprises: obtaining said identity of saidperson using said computer to access said data; and determining whethersaid identity is authorized to access said data.
 50. The method of claim47, wherein said step of executing said first program further comprises:obtaining said identity of said computer being used to access said data;and determining whether said identity is authorized to access said data.51. The method of claim 47, wherein said step of executing said secondprogram further comprises intermixing portions of said second programand portions of said data.
 52. A method for securing a plurality of dataelements from unauthorized access, theft, and tampering, said dataelements and an associated computer program being stored in a computermemory, said method comprising: executing said computer program togenerate a sequence of random numbers; dividing said sequence of randomnumbers into a plurality of random number segments; dividing said dataelements into a corresponding plurality of data segments; identifying aprogramming code segment associated with each of said random numbersegments; interspersing said code segments and data segments in a file;and replacing each data element with a code segment and a data segmentin said file.
 53. The method of claim 52, further comprising: generatinga plurality of segments of false information; and inserting a segment offalse information adjacent to a corresponding data segment in said file.54. The method of claim 53, wherein said segments of false informationare configured to appear to comprise data, programming code, or data incombination with programming code.
 55. A method for securing data fromunauthorized access, theft and tampering, said data having an associatedfirst computer program written in a first programming language, saiddata and said first computer program being stored on a computer, saidmethod comprising the steps of: creating a second programming language;creating a second computer program to emulate said second programminglanguage, said second computer program configured to be executed on saidcomputer; and translating said first computer program into said secondprogramming language using said second computer program to secure saiddata.
 56. A computer-implemented method for securing a picture fromunauthorized access, theft, and tampering, said method comprising:identifying a plurality of points on said picture to create a planargraph; determining coordinates for each of said points on said planargraph; indexing said point coordinates to create a first vector; andperforming a disguising operation on said first vector.
 57. The methodof claim 56, further comprising after the step of determiningcoordinates for each of said points on said planar graph, the step ofconverting said point coordinates to represent a frontal view of saidpicture if said picture is not of a frontal view.
 58. The method ofclaim 56, wherein said disguising operation comprises: ordering saidvector according to a random permutation of integers; generating asecond vector of the same length as said first vector; and adding saidsecond vector to said first vector.
 59. The method of claim 56, whereinsaid picture comprises an image of a human face.
 60. The method of claim56, wherein said picture comprises an image of a fingerprint.
 61. Acomputer-implemented method for identifying said subject of a firstpicture by comparison to a second picture, said method comprising:identifying a plurality of points on said first and second pictures tocreate first and second planar graphs, respectively; determiningcoordinates for each of said points on each of said first and secondplanar graphs; indexing said point coordinates for each of said firstand second planar graphs to create first and second vectors,respectively; performing a disguising operation on said first and secondvectors; and comparing said first and second disguised vectors.
 62. Themethod of claim 61, further comprising the step of revealing saidsubject of said first picture by performing an unveiling operation onsaid first disguised vector.
 63. A method for securing a database fromunauthorized access, theft, and tampering, said method comprising:partitioning said database into a computer program and a plurality ofdata entries; assigning a key to each data entry using said computerprogram; and performing a disguising operation on each key and each dataentry to secure said database.
 64. The method of claim 63, wherein saiddisguising operation comprises: generating random data using a randomdata generator; adding said random data to each data entry; and addingsaid random data to each key to disguise said database.
 65. The methodof claim 64, wherein said computer program comprises said random datagenerator, and a tamperproofing operation is performed on said computerprogram.
 66. The method of claim 63, further comprising the step ofdetecting whether an authorized user has exceeded an access limit.
 67. Amethod for securing computer program code from unauthorized access,theft, and tampering, said computer program code operable to perform areal operation on a real input to produce a real output, said methodcomprising: creating dummy program code operable to perform a dummyoperation on a dummy input to produce a dummy output; replicating eachof said real input and said dummy input at least one time; performingsaid real operation using said replicated real input and said replicateddummy input to produce a first output; performing said real operationusing said first output if said first output comprises said real inputto produce a second output; performing said dummy operation using saidfirst output if said first output comprises said dummy input to producea third output; storing said second output as said real output; andstoring said third output as said dummy output.
 68. The method of claim67, wherein said computer program code comprises a plurality of programstatements.
 69. The method of claim 68, wherein said dummy codecomprises a plurality of program statements.
 70. A method for securing acomputer program from unauthorized access, theft, and tampering, saidcomputer program comprising real programming code, said methodcomprising: creating dummy program code; replicating each of said realcode and said dummy code at least one time; and mixing said dummy codeand said real code.
 71. The method of 70, wherein said real codecomprises a plurality of program statements.
 72. The method of 71,wherein said dummy code comprises a plurality of program statements. 73.The method of claim 70, wherein said dummy code comprises a plurality ofvariables that are not used by said computer program.
 74. The method ofclaim 73, wherein said variables are used by said dummy code more thanonce.
 75. The method of claim 74, wherein each variable has a variablename and each variable name has no meaning with respect to said computerprogram.
 76. A method for secure computational outsourcing comprising:providing a first computer having a memory, said memory comprising aplurality of computation types, said plurality of computation typescomprising at least one computation type selected from the groupconsisting of matrix multiplication, matrix inversion, solution of alinear system of equations, quadrature, convolution, solution of one ormore differential equations, optimization, solution of a nonlinearsystem of equations, image edge detection, sorting, character stringpattern matching, integral equations, statistical regression,statistical correlation, natural language processing, biometric datamatching, database analysis, data mining, and classification problems;providing a second computer having a memory, said memory comprising aplurality of computation types, said plurality of computation typescomprising at least one computation type selected from the groupconsisting of matrix multiplication, matrix inversion, solution of alinear system of equations, quadrature, convolution, solution of one ormore differential equations, optimization, solution of a nonlinearsystem of equations, image edge detection, sorting, character stringpattern matching, integral equations, statistical regression,statistical correlation, natural language processing, biometric datamatching, database analysis, data mining, and classification problems;determining a first set of actual arguments for an outsourcedcomputation; determining a second set of actual arguments for saidoutsourced computation; preparing a first group of disguised argumentscorresponding to said first set of actual arguments with said firstcomputer by classifying said outsourced computation into one of saidplurality of computation types, selecting at least one of a plurality ofdisguising operations based on said classification, and performing saidat least one selected disguising operation on said first set of actualarguments with said first computer to provide said first group ofdisguised arguments; preparing a second group of disguised argumentscorresponding to said second set of actual arguments with said secondcomputer by classifying said outsourced computation into one of saidplurality of computation types, selecting at least one of a plurality ofdisguising operations based on said classification, and performing saidat least one selected disguising operation on said second set of actualarguments with said second computer to provide said first group ofdisguised arguments; outputting said first and second groups ofdisguised arguments from said first and second computers, respectively,for performance of said outsourced computation; receiving said first andsecond groups of disguised arguments with a third computer; performingsaid outsourced computation with said third computer using saiddisguised arguments to produce a disguised result, said disguised resultbeing in a disguised form relative to an actual result of saidoutsourced computation that would have been obtained by submitting saidfirst and second sets of actual arguments to said third computer forsaid outsourced computation; sending said disguised result from saidthird computer to said first and second computers; receiving saiddisguised result with said first and second computers; exchanginginformation related to said at least one selected disguising operationperformed on said first set of actual arguments and said at least oneselected disguising operation performed on said second set of actualarguments between said first and second computers to permit each of saidfirst and second computers to compute an actual answer from saiddisguised result; and computing said actual answer from said disguisedresult with said first and second computers.
 77. A system for securecomputational outsourcing comprising: a first computer comprising amemory and a library of disguising operations stored in said memory,said library of disguising operations comprising at least one disguisingoperation selected from the group consisting of random objectgeneration, argument dimension modification, linear operatormodification, mathematical identity substitution, coordinate systemmodification, domain mapping, inserting partitions of unity, logicalidentity substitution, inserting redundant computations, and disguisefunction generation, said first computer being operable to define afirst set of actual arguments for an outsourced computation, said firstcomputer having a resident program for creating a first group ofdisguised arguments from said first set of actual arguments, saidprogram capable of selecting one or more disguising operations from saidlibrary of disguising operations and applying said selected one or moredisguising operations to said first set of actual arguments to createsaid first group of disguised arguments, said first group of disguisedarguments hiding at least one characteristic of said first set of actualarguments, said program further capable of classifying said outsourcedcomputation as being one of a plurality of computation types, saidplurality of computation types comprising at least one computation typeselected from the group consisting of matrix multiplication, matrixinversion, solution of a linear system of equations, quadrature,convolution, solution of one or more differential equations,optimization, solution of a nonlinear system of equations, image edgedetection, sorting, character string pattern matching, integralequations, statistical regression, statistical correlation, naturallanguage processing, biometric data matching, database analysis, datamining, and classification problems; a second computer comprising amemory and a library of disguising operations stored in said memory,said library of disguising operations comprising at least one disguisingoperation selected from the group consisting of random objectgeneration, argument dimension modification, linear operatormodification, mathematical identity substitution, coordinate systemmodification, domain mapping, inserting partitions of unity, logicalidentity substitution, inserting redundant computations, and disguisefunction generation, said second computer being operable to define asecond set of actual arguments for an outsourced computation, saidsecond computer having a resident program for creating a second group ofdisguised arguments from said second set of actual arguments, saidprogram capable of selecting one or more disguising operations from saidlibrary of disguising operations and applying said selected one or moredisguising operations to said second set of actual arguments to createsaid second group of disguised arguments, said second group of disguisedarguments hiding at least one characteristic of said second set ofactual arguments, said program further capable of classifying saidoutsourced computation as being one of a plurality of computation types,said plurality of computation types comprising at least one computationtype selected from the group consisting of matrix multiplication, matrixinversion, solution of a linear system of equations, quadrature,convolution, solution of one or more differential equations,optimization, solution of a nonlinear system of equations, image edgedetection, sorting, character string pattern matching, integralequations, statistical regression, statistical correlation, naturallanguage processing, biometric data matching, database analysis, datamining, and classification problems; a first output device responsive tosaid first computer to output said first group of disguised argumentsand first identifying information about said one or more disguisingoperations applied to said first set of actual arguments; a secondoutput device responsive to said second computer to output said secondgroup of disguised arguments and second identifying information aboutsaid one or more disguising operations applied to said second set ofactual arguments; a computing center, said computing center beingseparated from said first and second computer and capable of receivingsaid first and second group of disguised arguments and performing saidoutsourced computation with said first and second groups of disguisedarguments to produce a disguised result; a first input devicecommunicatively connected to said first computer and arranged to permitsaid first computer to receive said second identifying information aboutsaid one or more disguising operations applied to said second set ofactual arguments from said second computer and to receive said disguisedresult of said outsourced computation performed with said first andsecond groups of disguised arguments from said computing center, saidfirst computer being operable to determine an actual answer from saidresult based upon said first and second identifying information; and asecond input device communicatively connected to said second computerand arranged to permit said second computer to receive said firstidentifying information about said one or more disguising operationsapplied to said first set of actual arguments from said first computerand to receive said disguised result of said outsourced computationperformed with said first and second groups of disguised arguments fromsaid computing center, said second computer being operable to determinean actual answer from said result based upon said first and secondidentifying information.